diff --git a/.gitignore b/.gitignore index 1520277..856a089 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,8 @@ content/stack/reference/drizzle/latest/ content/stack/reference/drizzle/v*/ .tmp-* .env.local + +# serena (local MCP tooling state) +.serena/ +# EQL release manifest extracted by generate-eql-docs.ts (see generate-eql-api-docs.ts) +.eql-manifest.release.json diff --git a/IA.md b/IA.md new file mode 100644 index 0000000..1294823 --- /dev/null +++ b/IA.md @@ -0,0 +1,457 @@ +# Docs V2 β€” Information Architecture & migration checklist + +Living checklist for the docs overhaul. Tracked in Linear under +[CIP-3307](https://linear.app/cipherstash/issue/CIP-3307); the full IA rationale +(design principles, audience doors, correctness strategy) lives in +`CipherStash docs IA v1.md` in the content repo. **Tick items here as they land +on the `v2` branch.** Legend: `[ ]` todo Β· `[x]` done Β· 🚧 stub exists Β· β›” blocked +on a product decision (see CIP-3307 checklist). + +## How this branch works + +- New IA lives in `content/docs`, served from the site root (`/docs/
/…`). +- The legacy tree (`content/stack`) is served alongside it at `/docs/stack/…` + until every section migrates, then deleted (CIP-3335). +- The full legacyβ†’v2 redirect map is `v2-redirects.mjs`, gated behind + `ENABLE_V2_REDIRECTS=1` (flipped on at merge). `bun run validate-redirects` + enforces that every legacy page has a mapping. +- Frontmatter facets (`type`, `components`, `audience`, `integration`, + `verifiedAgainst`, `reviewBy`) are defined in `source.config.ts` (`v2docs`). +- **Moving a page** = move the file into `content/docs`, update its facets, + fix inbound links, confirm its `v2-redirects.mjs` entry, tick it here. + +## URL conventions + +Lowercase, hyphens, no trailing slashes, no version numbers in paths. +Integrations are **flat** (no category segment). Error pages (future, miette) +live at `/docs/errors/` β€” permanent, never restructured (CIP-3338). + +--- + +## Content model β€” two axes + +The migration checklist below tracks _what_ moves; this section fixes _where +things go and why_, so placement stops being re-litigated per PR. + +### Terms + +- **Mode** β€” what the reader is trying to do. The four DiΓ‘taxis kinds + (tutorial, how-to, reference, explanation), plus our three audience doors + (integrations, solutions, security) which serve the same placement role. + A page has exactly one mode; the mode decides its sidebar home. +- **Component** β€” a layer of the product stack, drawn from the `components` + facet enum: `encryption` (Stack SDK), `platform` (CTS + ZeroKMS), `eql`, + `proxy`, `cli`. A page can touch several components at once. +- **Facet** β€” structured frontmatter that classifies a page along one axis + (`type`, `components`, `audience`, `integration`). Queryable; never shown + raw to users; independent of nav position. +- **Hub** β€” a per-component page at `/components/` that gathers + every page tagged with that component. A generated view, not a subtree. + Not every component has a hub: hubs are for _layers_ of the stack + (`encryption`, `platform`, `eql`, `proxy`). `cli` is a component but a + cross-cutting tool, not a layer, so it has no hub. +- **Locator** β€” the one hand-written paragraph (plus mini stack diagram) at the + top of a hub, orienting the reader: what the component is, what sits above and + below it. Prose, nothing else. + +### The rule + +**The sidebar is organized only by mode. The by-component view lives only on the hubs.** + +CipherStash is a dependency stack, not a set of independent product pillars: +integrations sit on the Stack SDK and Proxy, both consume EQL, and EQL sits on +the Platform (CTS + ZeroKMS). That is a graph. A sidebar is a tree. So we split +the two axes rather than forcing the graph into the tree. + +- **Mode axis (the tree).** Every page has exactly one home, chosen by _what the + reader is doing_: DiΓ‘taxis mode (`get-started`, `guides`, `reference`, + `concepts`) plus three audience doors (`integrations`, `solutions`, + `security`). The sidebar is built from `meta.json` and nothing else. +- **Component axis (the graph).** Which layers a page touches is the `components` + facet β€” never a sidebar section. The dependency graph is expressed by facets + and surfaced by hub pages, so a shared layer like EQL is documented once and + referenced everywhere. + +Why the pillar layouts (Supabase, Clerk, GitHub) don't transfer: those are +feature-pillar products whose parts are independent, so each pillar can be its +own subtree. Our parts are layers in a dependency stack β€” a shared layer has no +single natural parent, so it cannot be a tree node without duplication. + +### Placement test + +Two questions, in this order, for every page: + +1. _Which mode is this?_ β†’ decides the folder (its one sidebar home). +2. _Which components does it touch?_ β†’ sets the `components` facet. + +Never the reverse. If you are tempted to file a page _under_ a component, that is +the signal to file it by mode and tag the component instead. + +### Invariants + +- The sidebar tree is `meta.json` only. Facets never affect nav position + (already asserted by the schema comment in `source.config.ts`). +- A page appears in exactly one place in the tree. Cross-cutting reuse happens + through links and hubs, never by duplicating a page under a second parent. +- Shared mechanics have exactly one canonical page; every other page links, + never restates. This generalises the existing EQL rule (mechanics live in + `/reference/eql/core-concepts`; category pages link to it) to every component. +- Each component has exactly one hub at `/components/`. A hub is a + facet-driven _view_: it links to canonical pages and owns no mechanics. +- `/get-started/what-is-cipherstash` renders the components map; its nodes link + to the hubs. The hubs are the _only_ component-first surface, and they hold no + primary content β€” so they do not recreate the legacy component-first tree + (the old `root: true` Encryption/KMS/Proxy/Platform tabs). + +#### A note on hub URLs + +Hubs live at the top-level path `/components/` for a short, memorable +front door, but are anchored in the sidebar under Get started (Fumadocs takes +nav position from `meta.json` independently of the URL). If you would rather the +URL mirror the nav, use `/get-started/components/` instead β€” either +works; pick one and add it to `v2-redirects.mjs`. + +### Sidebar + +Mode-first, seven top-level sections. `compare` is folded into `concepts` (each +comparison already belongs to a door: aws-kms and vault are security-review +material, fhe and rls-and-tde are concepts). Component hubs are anchored under +Get started, not given their own top-level tab. + +``` +Get started +β”œβ”€ What is CipherStash mental model Β· components map Β· audience router +β”œβ”€ Quickstart +β”œβ”€ Choose your stack platform Γ— ORM Γ— auth matrix +β”œβ”€ Examples +└─ Components ← hub views (facet-driven, link-only) + β”œβ”€ Stack SDK + β”œβ”€ Proxy + β”œβ”€ EQL (shared) + └─ Platform (CTS + ZeroKMS) +Integrations flat; category grid on the index +β”œβ”€ Supabase (Database Β· Auth Β· Dashboard) +β”œβ”€ Drizzle Β· Prisma Β· Next.js Β· TypeScript +β”œβ”€ Clerk Β· Auth0 Β· Okta +β”œβ”€ AWS (RDS/Aurora Β· DynamoDB) +└─ Serverless Β· Docker +Concepts +β”œβ”€ Privacy-first design +β”œβ”€ Application-level encryption +β”œβ”€ Searchable encryption canonical leakage model +β”œβ”€ EQL typed-column model +β”œβ”€ Key management +β”œβ”€ Identity-aware encryption +β”œβ”€ Threat modelling +└─ Compare aws-kms Β· fhe Β· rls-and-tde Β· hashicorp-vault +Guides +β”œβ”€ Development local setup Β· schema design Β· testing & CI Β· onboarding +β”œβ”€ Migration encrypt existing data Β· adopt incrementally Β· key rotation +β”œβ”€ Deployment production Β· serverless & bundling Β· proxy deployment +└─ Troubleshooting query performance Β· runtime errors Β· cli Β· proxy +Security +β”œβ”€ Architecture one reconciled ZeroKMS story +β”œβ”€ ZeroKMS Β· CTS Β· Stack SDK Β· Proxy +β”œβ”€ Threat scenarios +β”œβ”€ Availability Β· Audit logging Β· Key ownership +└─ Compliance HIPAA Β· SOC 2 Β· GDPR +Solutions +└─ Protecting PII Β· Healthcare/HIPAA Β· AI & RAG Β· Data residency Β· Provable access +Reference +β”œβ”€ EQL core-concepts Β· numbers Β· dates Β· text Β· json Β· … Β· joins +β”œβ”€ Stack SDK client Β· schema Β· encrypt-decrypt Β· supabase Β· drizzle-operators Β· errors +β”œβ”€ Auth lock-contexts Β· cts-tokens Β· oidc Β· access-keys +β”œβ”€ CLI Β· Proxy Β· Workspace +└─ Benchmarks Β· Agent skills Β· Glossary +``` + +### Hub pages + +One per component, at `/components/`. Same template every time: + +1. **Locator** β€” one paragraph plus the stack diagram with this layer + highlighted: what it is, what it sits on, what sits on it. +2. **Start here** β€” the one or two canonical entry pages. +3. **By mode** β€” grouped links (Concepts Β· Guides Β· Reference Β· Security Β· + Integrations that use it). Every entry links to its canonical mode-home. +4. Nothing else. No mechanics, no examples that live elsewhere. + +The "By mode" lists are generated, not hand-maintained: filter +`source.getPages()` to pages whose `components` facet includes this component, +then group by `type`. "Integrations that use it" is the subset whose frontmatter +also carries an `integration` block. This is why the facet earns its keep β€” the +hubs cost nothing to maintain once a page is correctly tagged. + +**Tagging rule β€” `eql` is conditional, not automatic.** Stack encrypts values +in three modes: general-purpose (a value in your app), Postgres columns, and +non-Postgres stores like DynamoDB. Only the Postgres path involves EQL. So tag +`eql` only when the page is actually about queryable-in-Postgres ciphertext. +General-purpose and DynamoDB pages are `components: [encryption, platform]` with +_no_ `eql` β€” DynamoDB (`encryptedDynamoDB`) is the canonical no-EQL example and +the reason "Stack depends on EQL" is wrong. EQL is the Postgres searchability +layer, not a layer every Stack page sits on. + +#### Stack SDK β€” `/components/stack-sdk` (facet: `encryption`) + +- Locator: the TypeScript SDK; encrypt and decrypt values in your app. Sits on + the Platform. Add EQL when the data lives in Postgres and you want the + ciphertext queryable there β€” but Stack also encrypts general-purpose values + and non-Postgres stores (e.g. DynamoDB) with no EQL at all. +- Start here: Quickstart Β· Reference β†’ Stack SDK (client + configuration) +- Concepts: application-level encryption Β· searchable encryption Β· identity-aware encryption +- Guides: schema design Β· encrypt existing data Β· testing & CI Β· serverless & bundling +- Reference: `/reference/stack/*` (schema Β· encrypt-decrypt Β· supabase Β· drizzle-operators Β· errors) +- Security: `/security/stack-sdk` +- Integrations (auto): Supabase Β· Drizzle Β· Prisma Β· DynamoDB Β· Next.js … + +#### Proxy β€” `/components/proxy` (facet: `proxy`) + +- Locator: the no-app-changes path; sits in front of Postgres and speaks EQL for you. +- Start here: Reference β†’ Proxy (configuration) Β· Guides β†’ Proxy deployment +- Concepts: application-level encryption Β· searchable encryption +- Guides: proxy deployment Β· going to production +- Reference: `/reference/proxy/*` (configuration Β· message-flow Β· multitenant Β· errors) +- Security: `/security/proxy` +- Integrations (auto): AWS RDS/Aurora Β· Docker +- See also: EQL hub (shared dependency) + +#### EQL β€” `/components/eql` (facet: `eql`) ← the shared spine + +- Locator: the Postgres searchability layer. Makes ciphertext queryable in + Postgres by declaring an encrypted column's capability in the schema. The + Proxy always speaks EQL; the Stack SDK uses it only on its Postgres path (not + for general-purpose or DynamoDB encryption). +- Start here: Reference β†’ EQL (install) Β· EQL core-concepts +- Concepts: EQL (typed-column model) Β· searchable encryption (leakage model) +- Reference: the whole `/reference/eql/*` tree +- Guides: troubleshooting β†’ query performance +- Consumed by: Proxy hub (always) Β· Stack SDK hub (Postgres path only) +- Anti-drift: mechanics live in `/reference/eql/core-concepts`; this hub links only. + +#### Platform β€” `/components/platform` (facet: see vocab note) ← the foundation + +- Locator: the base everything relies on β€” key management (ZeroKMS) and identity-bound access (CTS). +- Start here: Security β†’ Architecture Β· Concepts β†’ Key management +- Concepts: key management Β· identity-aware encryption +- Reference: `/reference/auth/*` (lock-contexts Β· cts-tokens Β· oidc Β· access-keys) +- Security: architecture Β· zerokms Β· cts Β· availability Β· audit logging Β· key ownership +- Integrations (auto): Clerk Β· Auth0 Β· Okta + +### Worked example: how auth fits + +Auth is the concern most likely to feel like it needs its own section β€” it spans +the SDK, the Proxy, local dev, the Platform, and every auth provider. It doesn't +get one. It's the case that shows the model absorbing a cross-cutting concern +without bending: auth isn't a _layer_, it's a concern that shows up _on_ layers, +so it lives as facets and links, never as a tree section or a hub. + +"Auth" names several distinct things. Keep them separate: + +| Thing | What it is | `components` | Canonical home | +|---|---|---|---| +| CTS | Identity service in the Platform | `platform` | `/security/cts`, `/reference/auth/*` | +| `@cipherstash/auth` | Stack package (identity-aware encryption) | `[encryption, platform]` | `/reference/stack/auth` | +| Proxy stack-auth | How auth works inside the Proxy | `[proxy, platform]` | `/reference/proxy/*`, `/security/proxy` | +| Next.js adapter | Framework integration | `[encryption, platform]` | `/integrations/nextjs` | +| Clerk / Auth0 / Okta | Auth-provider integrations | `[platform]` | `/integrations/*` (`category: auth-provider`) | + +None of these is filed under an "auth" section, because there isn't one. Each is +filed by _mode_ (service β†’ Security/Reference, package β†’ Reference, providers β†’ +Integrations) and tagged by _component_. The through-line is reassembled by +queries, not by a subtree: + +- The Platform hub gathers all of it β€” everything above carries `platform`. +- Faceted search on `integration.category: auth-provider` gives the providers. +- `/concepts/identity-aware-encryption` is the one explanatory page that ties the + concept together in prose; everything else links to it (anti-drift rule). + +Naming caution: `/reference/auth/*` means the CTS _service_; the `@cipherstash/auth` +_package_ lives at `/reference/stack/auth`. Two different things both called +"auth" β€” keep the paths distinct so contributors don't merge them. + +The `components` facet enum is `[encryption, platform, eql, proxy, cli]` +(collapsing the former `auth` and `zerokms` into a single `platform`, matching +the product story "Platform = CTS + ZeroKMS"). This maps 1:1 onto the hubs: +`encryption` β†’ Stack SDK, `platform`, `eql`, `proxy`. + +Two notes: + +- The `encryption` facet value and its hub title **Stack SDK** differ on + purpose β€” the facet names the capability, the hub names the product. Document + once, move on. +- Collapsing `auth`/`zerokms` into `platform` means you can't isolate the + CTS/identity pages by facet query anymore β€” a `platform` query returns all of + Platform. That distinction still lives in nav location (`/security/cts` vs + `/security/zerokms`) and in `integration.category: auth-provider` for the + Clerk/Auth0/Okta pages, so it isn't lost β€” it just isn't on the `components` + axis. + +--- + +## Get started β€” CIP-3327 + +- [x] Section scaffold 🚧 +- [ ] `/get-started/what-is-cipherstash` β€” mental model, components map, audience router +- [ ] `/get-started/quickstart` β€” rewritten on EQL v3 (fixes `cs_match_v1`, broken scaffold imports) +- [ ] `/get-started/choose-your-stack` β€” static matrix v1 (platform Γ— ORM Γ— auth) +- [ ] `/get-started/examples` β€” runnable example apps index +- [ ] `/docs` landing page 🚧 β€” now `content/docs/index.mdx` rendered inside the docs + nav (the old standalone `(home)` route is deleted; recoverable from git history). + CIP-3327 refines the content (what-is + audience router) + +## Integrations β€” CIP-3328 (Supabase), CIP-3330 (auth), CIP-3336 (rest) + +- [x] Section scaffold 🚧 (index + supabase stub with facet exemplar) +- [ ] `/integrations` index β€” category grid w/ setup badges +- [ ] `/integrations/supabase` β€” flagship tutorial (CIP-3328) +- [ ] `/integrations/supabase/database` +- [ ] `/integrations/supabase/auth` +- [ ] `/integrations/supabase/dashboard-experience` β€” Table Editor, expose eql schema +- [ ] β›” `/integrations/supabase/edge-functions` β€” pending Deno/FFI answer +- [ ] β›” `/integrations/supabase/realtime` β€” pending product verification +- [ ] `/integrations/drizzle` β€” merge the two divergent Drizzle pages +- [ ] `/integrations/prisma-next` +- [ ] `/integrations/aws/rds-aurora` β€” Proxy path +- [ ] `/integrations/aws/dynamodb` +- [ ] `/integrations/clerk` +- [ ] `/integrations/auth0` β€” end-to-end example (Clerk parity) +- [ ] `/integrations/okta` β€” end-to-end example (Clerk parity) +- [ ] `/integrations/nextjs` +- [ ] `/integrations/typescript` β€” thin router to Stack SDK reference +- [ ] `/integrations/serverless` β€” Vercel/Lambda, bundling, CS_CONFIG_PATH +- [ ] `/integrations/docker` +- [ ] β›” `/integrations/edge-workers` β€” pending Deno/workerd answer + +## Concepts β€” CIP-3333 (searchable-encryption), others per section tickets + +- [x] Section scaffold 🚧 +- [ ] `/concepts/privacy-first-design` +- [ ] `/concepts/application-level-encryption` β€” vs TDE/pgcrypto/RLS +- [ ] `/concepts/searchable-encryption` β€” REWRITE with honest leakage model (canonical leakage page) +- [ ] `/concepts/eql` β€” the typed-column model (declare capability in the schema) +- [ ] `/concepts/key-management` β€” per-value keys, rotation, crypto-shredding +- [ ] `/concepts/identity-aware-encryption` β€” lock contexts, CTS (CIP-3330) +- [ ] `/concepts/threat-modelling` + +## Comparisons β€” CIP-3333 + +Folded into Concepts (see the sidebar spec above): the comparison pages live at +`/concepts/compare/*`, not a top-level `/compare` tab. `/stack/reference/comparisons` +and the old `/compare/*` paths redirect there (`v2-redirects.mjs`). + +- [x] Section scaffold 🚧 (moved under `concepts/`) +- [ ] `/concepts/compare/aws-kms` (port) +- [ ] `/concepts/compare/fhe` (port) +- [ ] `/concepts/compare/zerokms-vs-hsm` (ZeroKMS vs hardware security modules) +- [ ] `/concepts/compare/rls-and-tde` (new β€” expand the Supabase-listing RLS contrast) +- [ ] `/concepts/compare/hashicorp-vault` (in flight on `docs/vault-comparison` branch β€” land there or here, then port) + +## Guides + +- [x] Section scaffold 🚧 (development, migration, deployment, troubleshooting) +- [ ] `/guides/development/local-setup` β€” profiles, device auth, workspaces, keys +- [ ] `/guides/development/schema-design` β€” which encrypted type/variant per column (CIP-3327) +- [ ] `/guides/development/testing-and-ci` (port deploy/testing) +- [ ] `/guides/development/team-onboarding` (port) +- [ ] `/guides/migration/encrypt-existing-data` β€” the backfill guide, runnable (CIP-3329) +- [ ] β›” `/guides/migration/upgrading-from-eql-v2` β€” REQUIRED; mechanics pending product answer (CIP-3329) +- [ ] `/guides/migration/adopting-incrementally` (CIP-3329) +- [ ] `/guides/migration/key-rotation-operations` +- [ ] `/guides/deployment/going-to-production` (port) +- [ ] `/guides/deployment/serverless-and-bundling` (merge bundling + sst) +- [ ] `/guides/deployment/proxy-deployment` (merge proxy Docker + aws-ecs) +- [ ] `/guides/troubleshooting` index β€” symptom-based router +- [ ] `/guides/troubleshooting/query-performance` β€” seq-scan diagnosis, typed-operand gotcha +- [ ] `/guides/troubleshooting/runtime-errors` +- [ ] `/guides/troubleshooting/cli` (port) +- [ ] `/guides/troubleshooting/proxy` (port) + +## Architecture & security β€” CIP-3331, CIP-3332 (compliance) + +- [x] Section scaffold 🚧 +- [x] `/security/cryptography` β€” ONE reconciled ZeroKMS mechanism story (kills the 3 conflicting accounts) +- [ ] `/security/zerokms` +- [ ] `/security/cts` β€” auth layer architecture (CIP-3330) +- [ ] `/security/stack-sdk` +- [ ] `/security/proxy` +- [ ] `/security/threat-scenarios` +- [ ] β›” `/security/availability-and-continuity` β€” DR (port) + SLA + exit story; pending SLA answer +- [ ] β›” `/security/audit-logging` β€” pending retention answer +- [ ] β›” `/security/key-ownership` β€” BYOK/self-hosted; pending product answer +- [ ] `/security/compliance` index β€” framework mapping (port, good) +- [ ] `/security/compliance/hipaa` β€” BAA scope, Β§164.312 mapping (CIP-3332) +- [ ] `/security/compliance/soc2` β€” verify Type II report exists +- [ ] `/security/compliance/gdpr` + +## Solutions + +- [x] Section scaffold 🚧 +- [ ] `/solutions/protecting-pii` (new) +- [ ] `/solutions/healthcare-hipaa` (new; pairs with compliance/hipaa) +- [ ] `/solutions/ai-and-rag` (port use-cases/ai-rag) +- [ ] `/solutions/data-residency` (port) +- [ ] `/solutions/provable-access` (port) + +## Reference + +- [x] Section scaffold 🚧 (eql, stack, auth, cli, proxy, workspace) +- **EQL (v3 rewrite β€” CIP-3326; Tailwind-shaped: install β†’ core concepts β†’ type + categories β†’ indexes β†’ query patterns). Anti-drift rule: shared mechanics + (typed operands, blockers, envelope, variant model, ORE-equality) live ONLY in + core-concepts β€” category/query pages link, never restate:** +- [x] `/reference/eql` β€” install (single SQL file, permissions split, dbdev, Docker) +- [x] `/reference/eql/core-concepts` β€” variant model, payload anatomy (absorbs + cipher-cell), typed-operand rule, fail-loud blockers, term leakage pointer +- [x] `/reference/eql/numbers` β€” int*/float*/numeric +- [x] `/reference/eql/dates-and-times` β€” date/timestamp (same traits as numbers, + distinct semantics) +- [x] `/reference/eql/text` β€” all six text variants; owns the no-LIKE treatment +- [x] `/reference/eql/json` β€” ste_vec + sv payload shape + containment/path queries +- [x] `/reference/eql/booleans` β€” storage-only variants (bool has only that one) +- [x] `/reference/eql/indexes` β€” functional indexes on extractors; Supabase-compatible +- [x] `/reference/eql/filtering` β€” =, IN, ranges, token match, containment +- [x] `/reference/eql/sorting` β€” ORDER BY, extractor sort-key form, pagination +- [x] `/reference/eql/grouping-and-aggregates` β€” GROUP BY/DISTINCT, min/max, no SUM/AVG +- [x] `/reference/eql/joins` β€” equijoins, the same-keyset constraint +- [ ] β›” `/reference/eql/query-performance` β€” port the EQL repo performance guide once + rewritten for v3 upstream (v3 branch folded it into database-indexes.md; verify + nothing from the v2 guide on main was lost) β€” see CIP-3351 +- **Stack SDK:** +- [ ] `/reference/stack` β€” client + configuration (port encryption/* pages) +- [ ] `/reference/stack/schema` +- [ ] `/reference/stack/encrypt-decrypt` (+ bulk, models) +- [ ] `/reference/stack/supabase` β€” THE canonical `encryptedSupabase` page, ONE signature (CIP-3328) +- [ ] `/reference/stack/drizzle-operators` +- [ ] `/reference/stack/errors` β€” port error-handling; miette catalog later (CIP-3338) +- [ ] `/reference/stack/upgrading-from-protect` (retitled package-rename guide) +- **Auth (CIP-3330):** +- [ ] `/reference/auth/lock-contexts` +- [ ] `/reference/auth/cts-tokens` +- [ ] `/reference/auth/oidc-configuration` +- [ ] `/reference/auth/access-keys` (+ clients) +- **CLI / Proxy / Workspace:** +- [ ] `/reference/cli/*` (port 9 pages) +- [ ] `/reference/proxy/*` (configuration, message-flow, multitenant, errors) +- [ ] `/reference/workspace/billing` + `/members` + `/configuration` +- **Cross-cutting:** +- [ ] `/reference/benchmarks` β€” listing numbers + methodology (CIP-3334) +- [ ] `/reference/agent-skills` (port; expand per CIP-3339) +- [ ] `/reference/glossary` (port) +- [ ] Repoint `scripts/generate-docs.ts` TypeDoc output β†’ `content/docs/reference/stack` + +## Infrastructure / final pass + +- [x] `v2` branch + this checklist +- [x] `v2docs` collection + facet schema (`source.config.ts`) +- [x] Root catch-all routes (`src/app/[...slug]`), llms.mdx mirror, sitemap/llms.txt include v2 +- [x] `v2-redirects.mjs` (flag-gated) + `validate-redirects` gate in prebuild +- [x] `/quickstart` vanity redirect +- [ ] OG images for v2 pages (route only covers legacy tree) +- [ ] Correctness CI: snippet type-checking, SQL-vs-EQL-Docker, terminology lint (CIP-3337) +- [ ] llms.txt curation + Cloudflare AI crawl policy + md-degradation check (CIP-3339) +- [ ] β›” EQL 3.0.0 release alignment (CIP-3352, blocks CIP-3335) β€” the EQL reference + documents the release as decided, ahead of the eql_v3 branch: payload `v: 3`, + OPE SEM specifier, Docker tag `:17-3.0.0`, `version()` output, schema files. + Each must land upstream or be walked back in the docs before merge +- [ ] Flip `ENABLE_V2_REDIRECTS=1`, delete `content/stack` + `/stack` routes + legacy loader (CIP-3335) +- [ ] Consistency sweep + Supabase listing v3 revision (CIP-3335) diff --git a/biome.json b/biome.json index 95df3a1..ebbb858 100644 --- a/biome.json +++ b/biome.json @@ -1,5 +1,5 @@ { - "$schema": "https://biomejs.dev/schemas/2.2.0/schema.json", + "$schema": "https://biomejs.dev/schemas/2.3.15/schema.json", "vcs": { "enabled": true, "clientKind": "git", @@ -7,7 +7,15 @@ }, "files": { "ignoreUnknown": true, - "includes": ["**", "!node_modules", "!.next", "!dist", "!build", "!.source"] + "includes": [ + "**", + "!node_modules", + "!.next", + "!dist", + "!build", + "!.source", + "!src/app/global.css" + ] }, "formatter": { "enabled": true, diff --git a/bun.lock b/bun.lock index 8a38c5d..aa71d99 100644 --- a/bun.lock +++ b/bun.lock @@ -10,6 +10,7 @@ "fumadocs-ui": "16.6.0", "github-slugger": "^2.0.0", "lucide-react": "^0.563.0", + "mermaid": "^11.16.0", "next": "16.2.3", "posthog-js": "^1.354.0", "posthog-node": "^5.26.0", @@ -20,10 +21,12 @@ "devDependencies": { "@biomejs/biome": "^2.3.14", "@tailwindcss/postcss": "^4.1.18", + "@types/jsdom": "^28.0.3", "@types/mdx": "^2.0.13", "@types/node": "^25.2.1", "@types/react": "^19.2.13", "@types/react-dom": "^19.2.3", + "jsdom": "^29.1.1", "postcss": "^8.5.6", "tailwindcss": "^4.1.18", "tsx": "^4.0.0", @@ -37,6 +40,16 @@ "packages": { "@alloc/quick-lru": ["@alloc/quick-lru@5.2.0", "", {}, "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw=="], + "@antfu/install-pkg": ["@antfu/install-pkg@1.1.0", "", { "dependencies": { "package-manager-detector": "^1.3.0", "tinyexec": "^1.0.1" } }, "sha512-MGQsmw10ZyI+EJo45CdSER4zEb+p31LpDAFp2Z3gkSd1yqVZGi0Ebx++YTEMonJy4oChEMLsxZ64j8FH6sSqtQ=="], + + "@asamuzakjp/css-color": ["@asamuzakjp/css-color@5.1.11", "", { "dependencies": { "@asamuzakjp/generational-cache": "^1.0.1", "@csstools/css-calc": "^3.2.0", "@csstools/css-color-parser": "^4.1.0", "@csstools/css-parser-algorithms": "^4.0.0", "@csstools/css-tokenizer": "^4.0.0" } }, "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg=="], + + "@asamuzakjp/dom-selector": ["@asamuzakjp/dom-selector@7.1.1", "", { "dependencies": { "@asamuzakjp/generational-cache": "^1.0.1", "@asamuzakjp/nwsapi": "^2.3.9", "bidi-js": "^1.0.3", "css-tree": "^3.2.1", "is-potential-custom-element-name": "^1.0.1" } }, "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ=="], + + "@asamuzakjp/generational-cache": ["@asamuzakjp/generational-cache@1.0.1", "", {}, "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg=="], + + "@asamuzakjp/nwsapi": ["@asamuzakjp/nwsapi@2.3.9", "", {}, "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q=="], + "@biomejs/biome": ["@biomejs/biome@2.3.15", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.15", "@biomejs/cli-darwin-x64": "2.3.15", "@biomejs/cli-linux-arm64": "2.3.15", "@biomejs/cli-linux-arm64-musl": "2.3.15", "@biomejs/cli-linux-x64": "2.3.15", "@biomejs/cli-linux-x64-musl": "2.3.15", "@biomejs/cli-win32-arm64": "2.3.15", "@biomejs/cli-win32-x64": "2.3.15" }, "bin": { "biome": "bin/biome" } }, "sha512-u+jlPBAU2B45LDkjjNNYpc1PvqrM/co4loNommS9/sl9oSxsAQKsNZejYuUztvToB5oXi1tN/e62iNd6ESiY3g=="], "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.15", "", { "os": "darwin", "cpu": "arm64" }, "sha512-SDCdrJ4COim1r8SNHg19oqT50JfkI/xGZHSyC6mGzMfKrpNe/217Eq6y98XhNTc0vGWDjznSDNXdUc6Kg24jbw=="], @@ -55,6 +68,24 @@ "@biomejs/cli-win32-x64": ["@biomejs/cli-win32-x64@2.3.15", "", { "os": "win32", "cpu": "x64" }, "sha512-kDZr/hgg+igo5Emi0LcjlgfkoGZtgIpJKhnvKTRmMBv6FF/3SDyEV4khBwqNebZIyMZTzvpca9sQNSXJ39pI2A=="], + "@braintree/sanitize-url": ["@braintree/sanitize-url@7.1.2", "", {}, "sha512-jigsZK+sMF/cuiB7sERuo9V7N9jx+dhmHHnQyDSVdpZwVutaBu7WvNYqMDLSgFgfB30n452TP3vjDAvFC973mA=="], + + "@bramus/specificity": ["@bramus/specificity@2.4.2", "", { "dependencies": { "css-tree": "^3.0.0" }, "bin": { "specificity": "bin/cli.js" } }, "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw=="], + + "@chevrotain/types": ["@chevrotain/types@11.1.2", "", {}, "sha512-U+HFai5+zmJCkK86QsaJtoITlboZHBqrVketcO2ROv865xfCMSFpELQoz1GkX5GzME8pTa+3kbKrZHQtI0gdbw=="], + + "@csstools/color-helpers": ["@csstools/color-helpers@6.1.0", "", {}, "sha512-064IFJdjTfUqnjpCVpMOdbr8FLQBhinbZj6yRv2An2E41O/pLEXqfFRWqGq/SxlE5PEUYTlvWsG2r8MswAVvkg=="], + + "@csstools/css-calc": ["@csstools/css-calc@3.2.1", "", { "peerDependencies": { "@csstools/css-parser-algorithms": "^4.0.0", "@csstools/css-tokenizer": "^4.0.0" } }, "sha512-DtdHlgXh5ZkA43cwBcAm+huzgJiwx3ZTWVjBs94kwz2xKqSimDA3lBgCjphYgwgVUMWatSM0pDd8TILB1yrVVg=="], + + "@csstools/css-color-parser": ["@csstools/css-color-parser@4.1.9", "", { "dependencies": { "@csstools/color-helpers": "^6.1.0", "@csstools/css-calc": "^3.2.1" }, "peerDependencies": { "@csstools/css-parser-algorithms": "^4.0.0", "@csstools/css-tokenizer": "^4.0.0" } }, "sha512-paQcIaOO53Rk5+YrBaBjm/SgrV4INImjo2BT1DtQRYr+XeTRbeAYlS+jxXp9drqvKmtFnWRJKIalDLhZZDu42A=="], + + "@csstools/css-parser-algorithms": ["@csstools/css-parser-algorithms@4.0.0", "", { "peerDependencies": { "@csstools/css-tokenizer": "^4.0.0" } }, "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w=="], + + "@csstools/css-syntax-patches-for-csstree": ["@csstools/css-syntax-patches-for-csstree@1.1.6", "", { "peerDependencies": { "css-tree": "^3.2.1" }, "optionalPeers": ["css-tree"] }, "sha512-TcJCWFbXLPpJYq6z7bfOyjWYJDiDg2/I4gyUC9pqPNqHFRIey0EB0q0L5cSnQDfWJg8Jd6VadakxdIez/3zkqQ=="], + + "@csstools/css-tokenizer": ["@csstools/css-tokenizer@4.0.0", "", {}, "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA=="], + "@emnapi/runtime": ["@emnapi/runtime@1.8.1", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg=="], "@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.27.3", "", { "os": "aix", "cpu": "ppc64" }, "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg=="], @@ -109,6 +140,8 @@ "@esbuild/win32-x64": ["@esbuild/win32-x64@0.27.3", "", { "os": "win32", "cpu": "x64" }, "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA=="], + "@exodus/bytes": ["@exodus/bytes@1.15.1", "", { "peerDependencies": { "@noble/hashes": "^1.8.0 || ^2.0.0" }, "optionalPeers": ["@noble/hashes"] }, "sha512-S6mL0yNB/Abt9Ei4tq8gDhcczc4S3+vQ4ra7vxnAf+YHC02srtqxKKZghx2Dq6p0e66THKwR6r8N6P95wEty7Q=="], + "@floating-ui/core": ["@floating-ui/core@1.7.4", "", { "dependencies": { "@floating-ui/utils": "0.2.10" } }, "sha512-C3HlIdsBxszvm5McXlB8PeOEWfBhcGBTZGkGlWc2U0KFY5IwG5OQEuQ8rq52DZmcHDlPLd+YFBK+cZcytwIFWg=="], "@floating-ui/dom": ["@floating-ui/dom@1.7.5", "", { "dependencies": { "@floating-ui/core": "1.7.4", "@floating-ui/utils": "0.2.10" } }, "sha512-N0bD2kIPInNHUHehXhMke1rBGs1dwqvC9O9KYMyyjK7iXt7GAhnro7UlcuYcGdS/yYOlq0MAVgrow8IbWJwyqg=="], @@ -125,6 +158,10 @@ "@gerrit0/mini-shiki": ["@gerrit0/mini-shiki@3.22.0", "", { "dependencies": { "@shikijs/engine-oniguruma": "3.22.0", "@shikijs/langs": "3.22.0", "@shikijs/themes": "3.22.0", "@shikijs/types": "3.22.0", "@shikijs/vscode-textmate": "10.0.2" } }, "sha512-jMpciqEVUBKE1QwU64S4saNMzpsSza6diNCk4MWAeCxO2+LFi2FIFmL2S0VDLzEJCxuvCbU783xi8Hp/gkM5CQ=="], + "@iconify/types": ["@iconify/types@2.0.0", "", {}, "sha512-+wluvCrRhXrhyOmRDJ3q8mux9JkKy5SJ/v8ol2tu4FVjyYvtEzkc/3pK15ET6RKg4b4w4BmTk1+gsCUhf21Ykg=="], + + "@iconify/utils": ["@iconify/utils@3.1.4", "", { "dependencies": { "@antfu/install-pkg": "^1.1.0", "@iconify/types": "^2.0.0", "import-meta-resolve": "^4.2.0" } }, "sha512-b1S7B1k9ohZ+iNTi2ATxbRYG9fTrJmUT0rc46bvVnNxqNRGW7dyo/vRREwyniI5IRN2RSJHDcm+s3BjWrSAjHw=="], + "@img/colour": ["@img/colour@1.0.0", "", {}, "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw=="], "@img/sharp-darwin-arm64": ["@img/sharp-darwin-arm64@0.34.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.2.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w=="], @@ -187,6 +224,8 @@ "@mdx-js/mdx": ["@mdx-js/mdx@3.1.1", "", { "dependencies": { "@types/estree": "1.0.8", "@types/estree-jsx": "1.0.5", "@types/hast": "3.0.4", "@types/mdx": "2.0.13", "acorn": "8.15.0", "collapse-white-space": "2.1.0", "devlop": "1.1.0", "estree-util-is-identifier-name": "3.0.0", "estree-util-scope": "1.0.0", "estree-walker": "3.0.3", "hast-util-to-jsx-runtime": "2.3.6", "markdown-extensions": "2.0.0", "recma-build-jsx": "1.0.0", "recma-jsx": "1.0.1", "recma-stringify": "1.0.0", "rehype-recma": "1.0.0", "remark-mdx": "3.1.1", "remark-parse": "11.0.0", "remark-rehype": "11.1.2", "source-map": "0.7.6", "unified": "11.0.5", "unist-util-position-from-estree": "2.0.0", "unist-util-stringify-position": "4.0.0", "unist-util-visit": "5.1.0", "vfile": "6.0.3" } }, "sha512-f6ZO2ifpwAQIpzGWaBQT2TXxPv6z3RBzQKpVftEWN78Vl/YweF1uwussDx8ECAXVtr3Rs89fKyG9YlzUs9DyGQ=="], + "@mermaid-js/parser": ["@mermaid-js/parser@1.2.0", "", { "dependencies": { "@chevrotain/types": "~11.1.2" } }, "sha512-oYPyv8A4As1yH5Bx+04iQEQxXuIQDe0GKCNSRgao6z8AM9jixXIfP0vsppRLvGf+nKIOb9/LdpWA4YuJiVvESA=="], + "@next/env": ["@next/env@16.2.3", "", {}, "sha512-ZWXyj4uNu4GCWQw9cjRxWlbD+33mcDszIo9iQxFnBX3Wmgq9ulaSJcl6VhuWx5pCWqqD+9W6Wfz7N0lM5lYPMA=="], "@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@16.2.3", "", { "os": "darwin", "cpu": "arm64" }, "sha512-u37KDKTKQ+OQLvY+z7SNXixwo4Q2/IAJFDzU1fYe66IbCE51aDSAzkNDkWmLN0yjTUh4BKBd+hb69jYn6qqqSg=="], @@ -373,14 +412,80 @@ "@tailwindcss/postcss": ["@tailwindcss/postcss@4.1.18", "", { "dependencies": { "@alloc/quick-lru": "5.2.0", "@tailwindcss/node": "4.1.18", "@tailwindcss/oxide": "4.1.18", "postcss": "8.5.6", "tailwindcss": "4.1.18" } }, "sha512-Ce0GFnzAOuPyfV5SxjXGn0CubwGcuDB0zcdaPuCSzAa/2vII24JTkH+I6jcbXLb1ctjZMZZI6OjDaLPJQL1S0g=="], + "@types/d3": ["@types/d3@7.4.3", "", { "dependencies": { "@types/d3-array": "*", "@types/d3-axis": "*", "@types/d3-brush": "*", "@types/d3-chord": "*", "@types/d3-color": "*", "@types/d3-contour": "*", "@types/d3-delaunay": "*", "@types/d3-dispatch": "*", "@types/d3-drag": "*", "@types/d3-dsv": "*", "@types/d3-ease": "*", "@types/d3-fetch": "*", "@types/d3-force": "*", "@types/d3-format": "*", "@types/d3-geo": "*", "@types/d3-hierarchy": "*", "@types/d3-interpolate": "*", "@types/d3-path": "*", "@types/d3-polygon": "*", "@types/d3-quadtree": "*", "@types/d3-random": "*", "@types/d3-scale": "*", "@types/d3-scale-chromatic": "*", "@types/d3-selection": "*", "@types/d3-shape": "*", "@types/d3-time": "*", "@types/d3-time-format": "*", "@types/d3-timer": "*", "@types/d3-transition": "*", "@types/d3-zoom": "*" } }, "sha512-lZXZ9ckh5R8uiFVt8ogUNf+pIrK4EsWrx2Np75WvF/eTpJ0FMHNhjXk8CKEx/+gpHbNQyJWehbFaTvqmHWB3ww=="], + + "@types/d3-array": ["@types/d3-array@3.2.2", "", {}, "sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw=="], + + "@types/d3-axis": ["@types/d3-axis@3.0.6", "", { "dependencies": { "@types/d3-selection": "*" } }, "sha512-pYeijfZuBd87T0hGn0FO1vQ/cgLk6E1ALJjfkC0oJ8cbwkZl3TpgS8bVBLZN+2jjGgg38epgxb2zmoGtSfvgMw=="], + + "@types/d3-brush": ["@types/d3-brush@3.0.6", "", { "dependencies": { "@types/d3-selection": "*" } }, "sha512-nH60IZNNxEcrh6L1ZSMNA28rj27ut/2ZmI3r96Zd+1jrZD++zD3LsMIjWlvg4AYrHn/Pqz4CF3veCxGjtbqt7A=="], + + "@types/d3-chord": ["@types/d3-chord@3.0.6", "", {}, "sha512-LFYWWd8nwfwEmTZG9PfQxd17HbNPksHBiJHaKuY1XeqscXacsS2tyoo6OdRsjf+NQYeB6XrNL3a25E3gH69lcg=="], + + "@types/d3-color": ["@types/d3-color@3.1.3", "", {}, "sha512-iO90scth9WAbmgv7ogoq57O9YpKmFBbmoEoCHDB2xMBY0+/KVrqAaCDyCE16dUspeOvIxFFRI+0sEtqDqy2b4A=="], + + "@types/d3-contour": ["@types/d3-contour@3.0.6", "", { "dependencies": { "@types/d3-array": "*", "@types/geojson": "*" } }, "sha512-BjzLgXGnCWjUSYGfH1cpdo41/hgdWETu4YxpezoztawmqsvCeep+8QGfiY6YbDvfgHz/DkjeIkkZVJavB4a3rg=="], + + "@types/d3-delaunay": ["@types/d3-delaunay@6.0.4", "", {}, "sha512-ZMaSKu4THYCU6sV64Lhg6qjf1orxBthaC161plr5KuPHo3CNm8DTHiLw/5Eq2b6TsNP0W0iJrUOFscY6Q450Hw=="], + + "@types/d3-dispatch": ["@types/d3-dispatch@3.0.7", "", {}, "sha512-5o9OIAdKkhN1QItV2oqaE5KMIiXAvDWBDPrD85e58Qlz1c1kI/J0NcqbEG88CoTwJrYe7ntUCVfeUl2UJKbWgA=="], + + "@types/d3-drag": ["@types/d3-drag@3.0.7", "", { "dependencies": { "@types/d3-selection": "*" } }, "sha512-HE3jVKlzU9AaMazNufooRJ5ZpWmLIoc90A37WU2JMmeq28w1FQqCZswHZ3xR+SuxYftzHq6WU6KJHvqxKzTxxQ=="], + + "@types/d3-dsv": ["@types/d3-dsv@3.0.7", "", {}, "sha512-n6QBF9/+XASqcKK6waudgL0pf/S5XHPPI8APyMLLUHd8NqouBGLsU8MgtO7NINGtPBtk9Kko/W4ea0oAspwh9g=="], + + "@types/d3-ease": ["@types/d3-ease@3.0.2", "", {}, "sha512-NcV1JjO5oDzoK26oMzbILE6HW7uVXOHLQvHshBUW4UMdZGfiY6v5BeQwh9a9tCzv+CeefZQHJt5SRgK154RtiA=="], + + "@types/d3-fetch": ["@types/d3-fetch@3.0.7", "", { "dependencies": { "@types/d3-dsv": "*" } }, "sha512-fTAfNmxSb9SOWNB9IoG5c8Hg6R+AzUHDRlsXsDZsNp6sxAEOP0tkP3gKkNSO/qmHPoBFTxNrjDprVHDQDvo5aA=="], + + "@types/d3-force": ["@types/d3-force@3.0.10", "", {}, "sha512-ZYeSaCF3p73RdOKcjj+swRlZfnYpK1EbaDiYICEEp5Q6sUiqFaFQ9qgoshp5CzIyyb/yD09kD9o2zEltCexlgw=="], + + "@types/d3-format": ["@types/d3-format@3.0.4", "", {}, "sha512-fALi2aI6shfg7vM5KiR1wNJnZ7r6UuggVqtDA+xiEdPZQwy/trcQaHnwShLuLdta2rTymCNpxYTiMZX/e09F4g=="], + + "@types/d3-geo": ["@types/d3-geo@3.1.0", "", { "dependencies": { "@types/geojson": "*" } }, "sha512-856sckF0oP/diXtS4jNsiQw/UuK5fQG8l/a9VVLeSouf1/PPbBE1i1W852zVwKwYCBkFJJB7nCFTbk6UMEXBOQ=="], + + "@types/d3-hierarchy": ["@types/d3-hierarchy@3.1.7", "", {}, "sha512-tJFtNoYBtRtkNysX1Xq4sxtjK8YgoWUNpIiUee0/jHGRwqvzYxkq0hGVbbOGSz+JgFxxRu4K8nb3YpG3CMARtg=="], + + "@types/d3-interpolate": ["@types/d3-interpolate@3.0.4", "", { "dependencies": { "@types/d3-color": "*" } }, "sha512-mgLPETlrpVV1YRJIglr4Ez47g7Yxjl1lj7YKsiMCb27VJH9W8NVM6Bb9d8kkpG/uAQS5AmbA48q2IAolKKo1MA=="], + + "@types/d3-path": ["@types/d3-path@3.1.1", "", {}, "sha512-VMZBYyQvbGmWyWVea0EHs/BwLgxc+MKi1zLDCONksozI4YJMcTt8ZEuIR4Sb1MMTE8MMW49v0IwI5+b7RmfWlg=="], + + "@types/d3-polygon": ["@types/d3-polygon@3.0.2", "", {}, "sha512-ZuWOtMaHCkN9xoeEMr1ubW2nGWsp4nIql+OPQRstu4ypeZ+zk3YKqQT0CXVe/PYqrKpZAi+J9mTs05TKwjXSRA=="], + + "@types/d3-quadtree": ["@types/d3-quadtree@3.0.6", "", {}, "sha512-oUzyO1/Zm6rsxKRHA1vH0NEDG58HrT5icx/azi9MF1TWdtttWl0UIUsjEQBBh+SIkrpd21ZjEv7ptxWys1ncsg=="], + + "@types/d3-random": ["@types/d3-random@3.0.4", "", {}, "sha512-UHYId5WTCx4L4YNel7NU00XUXXgvgpgZOvp10PuvsQENjMDXhh2RyFc0KBjO7B45ne4Ha1yVH7ii0vnzKkuzWA=="], + + "@types/d3-scale": ["@types/d3-scale@4.0.9", "", { "dependencies": { "@types/d3-time": "*" } }, "sha512-dLmtwB8zkAeO/juAMfnV+sItKjlsw2lKdZVVy6LRr0cBmegxSABiLEpGVmSJJ8O08i4+sGR6qQtb6WtuwJdvVw=="], + + "@types/d3-scale-chromatic": ["@types/d3-scale-chromatic@3.1.0", "", {}, "sha512-iWMJgwkK7yTRmWqRB5plb1kadXyQ5Sj8V/zYlFGMUBbIPKQScw+Dku9cAAMgJG+z5GYDoMjWGLVOvjghDEFnKQ=="], + + "@types/d3-selection": ["@types/d3-selection@3.0.11", "", {}, "sha512-bhAXu23DJWsrI45xafYpkQ4NtcKMwWnAC/vKrd2l+nxMFuvOT3XMYTIj2opv8vq8AO5Yh7Qac/nSeP/3zjTK0w=="], + + "@types/d3-shape": ["@types/d3-shape@3.1.8", "", { "dependencies": { "@types/d3-path": "*" } }, "sha512-lae0iWfcDeR7qt7rA88BNiqdvPS5pFVPpo5OfjElwNaT2yyekbM0C9vK+yqBqEmHr6lDkRnYNoTBYlAgJa7a4w=="], + + "@types/d3-time": ["@types/d3-time@3.0.4", "", {}, "sha512-yuzZug1nkAAaBlBBikKZTgzCeA+k1uy4ZFwWANOfKw5z5LRhV0gNA7gNkKm7HoK+HRN0wX3EkxGk0fpbWhmB7g=="], + + "@types/d3-time-format": ["@types/d3-time-format@4.0.3", "", {}, "sha512-5xg9rC+wWL8kdDj153qZcsJ0FWiFt0J5RB6LYUNZjwSnesfblqrI/bJ1wBdJ8OQfncgbJG5+2F+qfqnqyzYxyg=="], + + "@types/d3-timer": ["@types/d3-timer@3.0.2", "", {}, "sha512-Ps3T8E8dZDam6fUyNiMkekK3XUsaUEik+idO9/YjPtfj2qruF8tFBXS7XhtE4iIXBLxhmLjP3SXpLhVf21I9Lw=="], + + "@types/d3-transition": ["@types/d3-transition@3.0.9", "", { "dependencies": { "@types/d3-selection": "*" } }, "sha512-uZS5shfxzO3rGlu0cC3bjmMFKsXv+SmZZcgp0KD22ts4uGXp5EVYGzu/0YdwZeKmddhcAccYtREJKkPfXkZuCg=="], + + "@types/d3-zoom": ["@types/d3-zoom@3.0.8", "", { "dependencies": { "@types/d3-interpolate": "*", "@types/d3-selection": "*" } }, "sha512-iqMC4/YlFCSlO8+2Ii1GGGliCAY4XdeG748w5vQUbevlbDu0zSjH/+jojorQVBK/se0j6DUFNPBGSqD3YWYnDw=="], + "@types/debug": ["@types/debug@4.1.12", "", { "dependencies": { "@types/ms": "2.1.0" } }, "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ=="], "@types/estree": ["@types/estree@1.0.8", "", {}, "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w=="], "@types/estree-jsx": ["@types/estree-jsx@1.0.5", "", { "dependencies": { "@types/estree": "1.0.8" } }, "sha512-52CcUVNFyfb1A2ALocQw/Dd1BQFNmSdkuC3BkZ6iqhdMfQz7JWOFRuJFloOzjk+6WijU56m9oKXFAXc7o3Towg=="], + "@types/geojson": ["@types/geojson@7946.0.16", "", {}, "sha512-6C8nqWur3j98U6+lXDfTUWIfgvZU+EumvpHKcYjujKH7woYyLj2sUmff0tRhrqM7BohUw7Pz3ZB1jj2gW9Fvmg=="], + "@types/hast": ["@types/hast@3.0.4", "", { "dependencies": { "@types/unist": "3.0.3" } }, "sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ=="], + "@types/jsdom": ["@types/jsdom@28.0.3", "", { "dependencies": { "@types/node": "*", "@types/tough-cookie": "*", "parse5": "^8.0.0", "undici-types": "^7.21.0" } }, "sha512-/HQ2uFoetFTXuye8vzIcHw2z6Fwi7Hi/qcgC+RoS9NCyewiqxhVGqlG+ViGB6lkax481R6dmhf1I7lIGlzJStQ=="], + "@types/mdast": ["@types/mdast@4.0.4", "", { "dependencies": { "@types/unist": "3.0.3" } }, "sha512-kGaNbPh1k7AFzgpud/gMdvIm5xuECykRR+JnWKQno9TAXVa6WIVCGTPvYGekIDL4uwCZQSYbUxNBSb1aUo79oA=="], "@types/mdx": ["@types/mdx@2.0.13", "", {}, "sha512-+OWZQfAYyio6YkJb3HLxDrvnx6SWWDbC0zVPfBRzUk0/nqoDyf6dNxQi3eArPe8rJ473nobTMQ/8Zk+LxJ+Yuw=="], @@ -393,12 +498,16 @@ "@types/react-dom": ["@types/react-dom@19.2.3", "", { "peerDependencies": { "@types/react": "19.2.14" } }, "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ=="], + "@types/tough-cookie": ["@types/tough-cookie@4.0.5", "", {}, "sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA=="], + "@types/trusted-types": ["@types/trusted-types@2.0.7", "", {}, "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw=="], "@types/unist": ["@types/unist@3.0.3", "", {}, "sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q=="], "@ungap/structured-clone": ["@ungap/structured-clone@1.3.0", "", {}, "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g=="], + "@upsetjs/venn.js": ["@upsetjs/venn.js@2.0.0", "", { "optionalDependencies": { "d3-selection": "^3.0.0", "d3-transition": "^3.0.1" } }, "sha512-WbBhLrooyePuQ1VZxrJjtLvTc4NVfpOyKx0sKqioq9bX1C1m7Jgykkn8gLrtwumBioXIqam8DLxp88Adbue6Hw=="], + "acorn": ["acorn@8.15.0", "", { "bin": { "acorn": "bin/acorn" } }, "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg=="], "acorn-jsx": ["acorn-jsx@5.3.2", "", { "peerDependencies": { "acorn": "8.15.0" } }, "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ=="], @@ -415,6 +524,8 @@ "baseline-browser-mapping": ["baseline-browser-mapping@2.9.19", "", { "bin": { "baseline-browser-mapping": "dist/cli.js" } }, "sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg=="], + "bidi-js": ["bidi-js@1.0.3", "", { "dependencies": { "require-from-string": "^2.0.2" } }, "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw=="], + "brace-expansion": ["brace-expansion@5.0.3", "", { "dependencies": { "balanced-match": "4.0.4" } }, "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA=="], "caniuse-lite": ["caniuse-lite@1.0.30001769", "", {}, "sha512-BCfFL1sHijQlBGWBMuJyhZUhzo7wer5sVj9hqekB/7xn0Ypy+pER/edCYQm4exbXj4WiySGp40P8UuTh6w1srg=="], @@ -441,20 +552,106 @@ "comma-separated-tokens": ["comma-separated-tokens@2.0.3", "", {}, "sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg=="], + "commander": ["commander@8.3.0", "", {}, "sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww=="], + "compute-scroll-into-view": ["compute-scroll-into-view@3.1.1", "", {}, "sha512-VRhuHOLoKYOy4UbilLbUzbYg93XLjv2PncJC50EuTWPA3gaja1UjBsUP/D/9/juV3vQFr6XBEzn9KCAHdUvOHw=="], "core-js": ["core-js@3.48.0", "", {}, "sha512-zpEHTy1fjTMZCKLHUZoVeylt9XrzaIN2rbPXEt0k+q7JE5CkCZdo6bNq55bn24a69CH7ErAVLKijxJja4fw+UQ=="], + "cose-base": ["cose-base@1.0.3", "", { "dependencies": { "layout-base": "^1.0.0" } }, "sha512-s9whTXInMSgAp/NVXVNuVxVKzGH2qck3aQlVHxDCdAEPgtMKwc4Wq6/QKhgdEdgbLSi9rBTAcPoRa6JpiG4ksg=="], + "cross-spawn": ["cross-spawn@7.0.6", "", { "dependencies": { "path-key": "3.1.1", "shebang-command": "2.0.0", "which": "2.0.2" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="], + "css-tree": ["css-tree@3.2.1", "", { "dependencies": { "mdn-data": "2.27.1", "source-map-js": "^1.2.1" } }, "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA=="], + "cssesc": ["cssesc@3.0.0", "", { "bin": { "cssesc": "bin/cssesc" } }, "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg=="], "csstype": ["csstype@3.2.3", "", {}, "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ=="], + "cytoscape": ["cytoscape@3.34.0", "", {}, "sha512-62rNSrioXw93uliKFBwjukeQyeWwH2PqDrTac31r2P6464u3AUvTk0xS4LVvT251g7IgkFunrI48ZEZGjywSOg=="], + + "cytoscape-cose-bilkent": ["cytoscape-cose-bilkent@4.1.0", "", { "dependencies": { "cose-base": "^1.0.0" }, "peerDependencies": { "cytoscape": "^3.2.0" } }, "sha512-wgQlVIUJF13Quxiv5e1gstZ08rnZj2XaLHGoFMYXz7SkNfCDOOteKBE6SYRfA9WxxI/iBc3ajfDoc6hb/MRAHQ=="], + + "cytoscape-fcose": ["cytoscape-fcose@2.2.0", "", { "dependencies": { "cose-base": "^2.2.0" }, "peerDependencies": { "cytoscape": "^3.2.0" } }, "sha512-ki1/VuRIHFCzxWNrsshHYPs6L7TvLu3DL+TyIGEsRcvVERmxokbf5Gdk7mFxZnTdiGtnA4cfSmjZJMviqSuZrQ=="], + + "d3": ["d3@7.9.0", "", { "dependencies": { "d3-array": "3", "d3-axis": "3", "d3-brush": "3", "d3-chord": "3", "d3-color": "3", "d3-contour": "4", "d3-delaunay": "6", "d3-dispatch": "3", "d3-drag": "3", "d3-dsv": "3", "d3-ease": "3", "d3-fetch": "3", "d3-force": "3", "d3-format": "3", "d3-geo": "3", "d3-hierarchy": "3", "d3-interpolate": "3", "d3-path": "3", "d3-polygon": "3", "d3-quadtree": "3", "d3-random": "3", "d3-scale": "4", "d3-scale-chromatic": "3", "d3-selection": "3", "d3-shape": "3", "d3-time": "3", "d3-time-format": "4", "d3-timer": "3", "d3-transition": "3", "d3-zoom": "3" } }, "sha512-e1U46jVP+w7Iut8Jt8ri1YsPOvFpg46k+K8TpCb0P+zjCkjkPnV7WzfDJzMHy1LnA+wj5pLT1wjO901gLXeEhA=="], + + "d3-array": ["d3-array@3.2.4", "", { "dependencies": { "internmap": "1 - 2" } }, "sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg=="], + + "d3-axis": ["d3-axis@3.0.0", "", {}, "sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw=="], + + "d3-brush": ["d3-brush@3.0.0", "", { "dependencies": { "d3-dispatch": "1 - 3", "d3-drag": "2 - 3", "d3-interpolate": "1 - 3", "d3-selection": "3", "d3-transition": "3" } }, "sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ=="], + + "d3-chord": ["d3-chord@3.0.1", "", { "dependencies": { "d3-path": "1 - 3" } }, "sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g=="], + + "d3-color": ["d3-color@3.1.0", "", {}, "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA=="], + + "d3-contour": ["d3-contour@4.0.2", "", { "dependencies": { "d3-array": "^3.2.0" } }, "sha512-4EzFTRIikzs47RGmdxbeUvLWtGedDUNkTcmzoeyg4sP/dvCexO47AaQL7VKy/gul85TOxw+IBgA8US2xwbToNA=="], + + "d3-delaunay": ["d3-delaunay@6.0.4", "", { "dependencies": { "delaunator": "5" } }, "sha512-mdjtIZ1XLAM8bm/hx3WwjfHt6Sggek7qH043O8KEjDXN40xi3vx/6pYSVTwLjEgiXQTbvaouWKynLBiUZ6SK6A=="], + + "d3-dispatch": ["d3-dispatch@3.0.1", "", {}, "sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg=="], + + "d3-drag": ["d3-drag@3.0.0", "", { "dependencies": { "d3-dispatch": "1 - 3", "d3-selection": "3" } }, "sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg=="], + + "d3-dsv": ["d3-dsv@3.0.1", "", { "dependencies": { "commander": "7", "iconv-lite": "0.6", "rw": "1" }, "bin": { "csv2json": "bin/dsv2json.js", "csv2tsv": "bin/dsv2dsv.js", "dsv2dsv": "bin/dsv2dsv.js", "dsv2json": "bin/dsv2json.js", "json2csv": "bin/json2dsv.js", "json2dsv": "bin/json2dsv.js", "json2tsv": "bin/json2dsv.js", "tsv2csv": "bin/dsv2dsv.js", "tsv2json": "bin/dsv2json.js" } }, "sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q=="], + + "d3-ease": ["d3-ease@3.0.1", "", {}, "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w=="], + + "d3-fetch": ["d3-fetch@3.0.1", "", { "dependencies": { "d3-dsv": "1 - 3" } }, "sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw=="], + + "d3-force": ["d3-force@3.0.0", "", { "dependencies": { "d3-dispatch": "1 - 3", "d3-quadtree": "1 - 3", "d3-timer": "1 - 3" } }, "sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg=="], + + "d3-format": ["d3-format@3.1.2", "", {}, "sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg=="], + + "d3-geo": ["d3-geo@3.1.1", "", { "dependencies": { "d3-array": "2.5.0 - 3" } }, "sha512-637ln3gXKXOwhalDzinUgY83KzNWZRKbYubaG+fGVuc/dxO64RRljtCTnf5ecMyE1RIdtqpkVcq0IbtU2S8j2Q=="], + + "d3-hierarchy": ["d3-hierarchy@3.1.2", "", {}, "sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA=="], + + "d3-interpolate": ["d3-interpolate@3.0.1", "", { "dependencies": { "d3-color": "1 - 3" } }, "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g=="], + + "d3-path": ["d3-path@3.1.0", "", {}, "sha512-p3KP5HCf/bvjBSSKuXid6Zqijx7wIfNW+J/maPs+iwR35at5JCbLUT0LzF1cnjbCHWhqzQTIN2Jpe8pRebIEFQ=="], + + "d3-polygon": ["d3-polygon@3.0.1", "", {}, "sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg=="], + + "d3-quadtree": ["d3-quadtree@3.0.1", "", {}, "sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw=="], + + "d3-random": ["d3-random@3.0.1", "", {}, "sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ=="], + + "d3-sankey": ["d3-sankey@0.12.3", "", { "dependencies": { "d3-array": "1 - 2", "d3-shape": "^1.2.0" } }, "sha512-nQhsBRmM19Ax5xEIPLMY9ZmJ/cDvd1BG3UVvt5h3WRxKg5zGRbvnteTyWAbzeSvlh3tW7ZEmq4VwR5mB3tutmQ=="], + + "d3-scale": ["d3-scale@4.0.2", "", { "dependencies": { "d3-array": "2.10.0 - 3", "d3-format": "1 - 3", "d3-interpolate": "1.2.0 - 3", "d3-time": "2.1.1 - 3", "d3-time-format": "2 - 4" } }, "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ=="], + + "d3-scale-chromatic": ["d3-scale-chromatic@3.1.0", "", { "dependencies": { "d3-color": "1 - 3", "d3-interpolate": "1 - 3" } }, "sha512-A3s5PWiZ9YCXFye1o246KoscMWqf8BsD9eRiJ3He7C9OBaxKhAd5TFCdEx/7VbKtxxTsu//1mMJFrEt572cEyQ=="], + + "d3-selection": ["d3-selection@3.0.0", "", {}, "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ=="], + + "d3-shape": ["d3-shape@3.2.0", "", { "dependencies": { "d3-path": "^3.1.0" } }, "sha512-SaLBuwGm3MOViRq2ABk3eLoxwZELpH6zhl3FbAoJ7Vm1gofKx6El1Ib5z23NUEhF9AsGl7y+dzLe5Cw2AArGTA=="], + + "d3-time": ["d3-time@3.1.0", "", { "dependencies": { "d3-array": "2 - 3" } }, "sha512-VqKjzBLejbSMT4IgbmVgDjpkYrNWUYJnbCGo874u7MMKIWsILRX+OpX/gTk8MqjpT1A/c6HY2dCA77ZN0lkQ2Q=="], + + "d3-time-format": ["d3-time-format@4.1.0", "", { "dependencies": { "d3-time": "1 - 3" } }, "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg=="], + + "d3-timer": ["d3-timer@3.0.1", "", {}, "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA=="], + + "d3-transition": ["d3-transition@3.0.1", "", { "dependencies": { "d3-color": "1 - 3", "d3-dispatch": "1 - 3", "d3-ease": "1 - 3", "d3-interpolate": "1 - 3", "d3-timer": "1 - 3" }, "peerDependencies": { "d3-selection": "2 - 3" } }, "sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w=="], + + "d3-zoom": ["d3-zoom@3.0.0", "", { "dependencies": { "d3-dispatch": "1 - 3", "d3-drag": "2 - 3", "d3-interpolate": "1 - 3", "d3-selection": "2 - 3", "d3-transition": "2 - 3" } }, "sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw=="], + + "dagre-d3-es": ["dagre-d3-es@7.0.14", "", { "dependencies": { "d3": "^7.9.0", "lodash-es": "^4.17.21" } }, "sha512-P4rFMVq9ESWqmOgK+dlXvOtLwYg0i7u0HBGJER0LZDJT2VHIPAMZ/riPxqJceWMStH5+E61QxFra9kIS3AqdMg=="], + + "data-urls": ["data-urls@7.0.0", "", { "dependencies": { "whatwg-mimetype": "^5.0.0", "whatwg-url": "^16.0.0" } }, "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA=="], + + "dayjs": ["dayjs@1.11.21", "", {}, "sha512-98IT+HOahAisibz/yjKbzuOBwYcjJ7BCLPzARyHiyEBmRz4fatF+KPJszEHXsGYjUG234aH/cOjW1wwTbKUZlA=="], + "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="], + "decimal.js": ["decimal.js@10.6.0", "", {}, "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg=="], + "decode-named-character-reference": ["decode-named-character-reference@1.3.0", "", { "dependencies": { "character-entities": "2.0.2" } }, "sha512-GtpQYB283KrPp6nRw50q3U9/VfOutZOe103qlN7BPP6Ad27xYnOIWv4lPzo8HCAL+mMZofJ9KEy30fq6MfaK6Q=="], + "delaunator": ["delaunator@5.1.0", "", { "dependencies": { "robust-predicates": "^3.0.2" } }, "sha512-AGrQ4QSgssa1NGmWmLPqN5NY2KajF5MqxetNEO+o0n3ZwZZeTmt7bBnvzHWrmkZFxGgr4HdyFgelzgi06otLuQ=="], + "dequal": ["dequal@2.0.3", "", {}, "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA=="], "detect-libc": ["detect-libc@2.1.2", "", {}, "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ=="], @@ -463,11 +660,13 @@ "devlop": ["devlop@1.1.0", "", { "dependencies": { "dequal": "2.0.3" } }, "sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA=="], - "dompurify": ["dompurify@3.3.1", "", { "optionalDependencies": { "@types/trusted-types": "2.0.7" } }, "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q=="], + "dompurify": ["dompurify@3.4.11", "", { "optionalDependencies": { "@types/trusted-types": "^2.0.7" } }, "sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw=="], "enhanced-resolve": ["enhanced-resolve@5.19.0", "", { "dependencies": { "graceful-fs": "4.2.11", "tapable": "2.3.0" } }, "sha512-phv3E1Xl4tQOShqSte26C7Fl84EwUdZsyOuSSk9qtAGyyQs2s3jJzComh+Abf4g187lUUAvH+H26omrqia2aGg=="], - "entities": ["entities@4.5.0", "", {}, "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw=="], + "entities": ["entities@8.0.0", "", {}, "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA=="], + + "es-toolkit": ["es-toolkit@1.49.0", "", {}, "sha512-G5iZ6Pc/FNRY/soKZHC+TxGDD83rHUDXxzaWhGCX44vAv/tMs56WMusnm/KMNK+luUPsgA9U28cGr4RDlSzL2g=="], "esast-util-from-estree": ["esast-util-from-estree@2.0.0", "", { "dependencies": { "@types/estree-jsx": "1.0.5", "devlop": "1.1.0", "estree-util-visit": "2.0.0", "unist-util-position-from-estree": "2.0.0" } }, "sha512-4CyanoAudUSBAn5K13H4JhsMH6L9ZP7XbLVe/dKybkxMO7eDyLsT8UHl9TRNrU2Gr9nz+FovfSIjuXWJ81uVwQ=="], @@ -517,6 +716,8 @@ "graceful-fs": ["graceful-fs@4.2.11", "", {}, "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="], + "hachure-fill": ["hachure-fill@0.5.2", "", {}, "sha512-3GKBOn+m2LX9iq+JC1064cSFprJY4jL1jCXTcpnfER5HYE2l/4EfWSGzkPa/ZDBmYI0ZOEj5VHV/eKnPGkHuOg=="], + "hast-util-from-parse5": ["hast-util-from-parse5@8.0.3", "", { "dependencies": { "@types/hast": "3.0.4", "@types/unist": "3.0.3", "devlop": "1.1.0", "hastscript": "9.0.1", "property-information": "7.1.0", "vfile": "6.0.3", "vfile-location": "5.0.3", "web-namespaces": "2.0.1" } }, "sha512-3kxEVkEKt0zvcZ3hCRYI8rqrgwtlIOFMWkbclACvjlDw8Li9S2hk/d51OI0nr/gIpdMHNepwgOKqZ/sy0Clpyg=="], "hast-util-parse-selector": ["hast-util-parse-selector@4.0.0", "", { "dependencies": { "@types/hast": "3.0.4" } }, "sha512-wkQCkSYoOGCRKERFWcxMVMOcYE2K1AaNLU8DXS9arxnLOUEWbOXKXiJUNzEpqZ3JOKpnha3jkFrumEjVliDe7A=="], @@ -537,12 +738,20 @@ "hastscript": ["hastscript@9.0.1", "", { "dependencies": { "@types/hast": "3.0.4", "comma-separated-tokens": "2.0.3", "hast-util-parse-selector": "4.0.0", "property-information": "7.1.0", "space-separated-tokens": "2.0.2" } }, "sha512-g7df9rMFX/SPi34tyGCyUBREQoKkapwdY/T04Qn9TDWfHhAYt4/I0gMVirzK5wEzeUqIjEB+LXC/ypb7Aqno5w=="], + "html-encoding-sniffer": ["html-encoding-sniffer@6.0.0", "", { "dependencies": { "@exodus/bytes": "^1.6.0" } }, "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg=="], + "html-void-elements": ["html-void-elements@3.0.0", "", {}, "sha512-bEqo66MRXsUGxWHV5IP0PUiAWwoEjba4VCzg0LjFJBpchPaTfyfCKTG6bc5F8ucKec3q5y6qOdGyYTSBEvhCrg=="], + "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="], + "image-size": ["image-size@2.0.2", "", { "bin": { "image-size": "bin/image-size.js" } }, "sha512-IRqXKlaXwgSMAMtpNzZa1ZAe8m+Sa1770Dhk8VkSsP9LS+iHD62Zd8FQKs8fbPiagBE7BzoFX23cxFnwshpV6w=="], + "import-meta-resolve": ["import-meta-resolve@4.2.0", "", {}, "sha512-Iqv2fzaTQN28s/FwZAoFq0ZSs/7hMAHJVX+w8PZl3cY19Pxk6jFFalxQoIfW2826i/fDLXv8IiEZRIT0lDuWcg=="], + "inline-style-parser": ["inline-style-parser@0.2.7", "", {}, "sha512-Nb2ctOyNR8DqQoR0OwRG95uNWIC0C1lCgf5Naz5H6Ji72KZ8OcFZLz2P5sNgwlyoJ8Yif11oMuYs5pBQa86csA=="], + "internmap": ["internmap@1.0.1", "", {}, "sha512-lDB5YccMydFBtasVtxnZ3MRBHuaoE8GKsppq+EchKL2U4nK/DmEpPHNH8MZe5HkMtpSiTSOZwfN0tzYjO/lJEw=="], + "is-alphabetical": ["is-alphabetical@2.0.1", "", {}, "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ=="], "is-alphanumerical": ["is-alphanumerical@2.0.1", "", { "dependencies": { "is-alphabetical": "2.0.1", "is-decimal": "2.0.1" } }, "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw=="], @@ -553,12 +762,22 @@ "is-plain-obj": ["is-plain-obj@4.1.0", "", {}, "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg=="], + "is-potential-custom-element-name": ["is-potential-custom-element-name@1.0.1", "", {}, "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ=="], + "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="], "jiti": ["jiti@2.6.1", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ=="], "js-yaml": ["js-yaml@4.1.1", "", { "dependencies": { "argparse": "2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA=="], + "jsdom": ["jsdom@29.1.1", "", { "dependencies": { "@asamuzakjp/css-color": "^5.1.11", "@asamuzakjp/dom-selector": "^7.1.1", "@bramus/specificity": "^2.4.2", "@csstools/css-syntax-patches-for-csstree": "^1.1.3", "@exodus/bytes": "^1.15.0", "css-tree": "^3.2.1", "data-urls": "^7.0.0", "decimal.js": "^10.6.0", "html-encoding-sniffer": "^6.0.0", "is-potential-custom-element-name": "^1.0.1", "lru-cache": "^11.3.5", "parse5": "^8.0.1", "saxes": "^6.0.0", "symbol-tree": "^3.2.4", "tough-cookie": "^6.0.1", "undici": "^7.25.0", "w3c-xmlserializer": "^5.0.0", "webidl-conversions": "^8.0.1", "whatwg-mimetype": "^5.0.0", "whatwg-url": "^16.0.1", "xml-name-validator": "^5.0.0" }, "peerDependencies": { "canvas": "^3.0.0" }, "optionalPeers": ["canvas"] }, "sha512-ECi4Fi2f7BdJtUKTflYRTiaMxIB0O6zfR1fX0GXpUrf6flp8QIYn1UT20YQqdSOfk2dfkCwS8LAFoJDEppNK5Q=="], + + "katex": ["katex@0.16.47", "", { "dependencies": { "commander": "^8.3.0" }, "bin": { "katex": "cli.js" } }, "sha512-Eeo8Ys1doU1z+x8AZsPpQu+p/QcZBI5PeOo7QGQdy2x2m0MU/hYagBbGOmXwr5KVbEfVuWv9LpnQWeehogurjg=="], + + "khroma": ["khroma@2.1.0", "", {}, "sha512-Ls993zuzfayK269Svk9hzpeGUKob/sIgZzyHYdjQoAdQetRKpOLj+k/QQQ/6Qi0Yz65mlROrfd+Ev+1+7dz9Kw=="], + + "layout-base": ["layout-base@1.0.2", "", {}, "sha512-8h2oVEZNktL4BH2JCOI90iD1yXwL6iNW7KcCKT2QZgQJR2vbqDsldCTPRU9NifTCqHZci57XvQQ15YTu+sTYPg=="], + "lightningcss": ["lightningcss@1.30.2", "", { "dependencies": { "detect-libc": "2.1.2" }, "optionalDependencies": { "lightningcss-android-arm64": "1.30.2", "lightningcss-darwin-arm64": "1.30.2", "lightningcss-darwin-x64": "1.30.2", "lightningcss-freebsd-x64": "1.30.2", "lightningcss-linux-arm-gnueabihf": "1.30.2", "lightningcss-linux-arm64-gnu": "1.30.2", "lightningcss-linux-arm64-musl": "1.30.2", "lightningcss-linux-x64-gnu": "1.30.2", "lightningcss-linux-x64-musl": "1.30.2", "lightningcss-win32-arm64-msvc": "1.30.2", "lightningcss-win32-x64-msvc": "1.30.2" } }, "sha512-utfs7Pr5uJyyvDETitgsaqSyjCb2qNRAtuqUeWIAKztsOYdcACf2KtARYXg2pSvhkt+9NfoaNY7fxjl6nuMjIQ=="], "lightningcss-android-arm64": ["lightningcss-android-arm64@1.30.2", "", { "os": "android", "cpu": "arm64" }, "sha512-BH9sEdOCahSgmkVhBLeU7Hc9DWeZ1Eb6wNS6Da8igvUwAe0sqROHddIlvU06q3WyXVEOYDZ6ykBZQnjTbmo4+A=="], @@ -585,10 +804,14 @@ "linkify-it": ["linkify-it@5.0.0", "", { "dependencies": { "uc.micro": "2.1.0" } }, "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ=="], + "lodash-es": ["lodash-es@4.18.1", "", {}, "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A=="], + "long": ["long@5.3.2", "", {}, "sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA=="], "longest-streak": ["longest-streak@3.1.0", "", {}, "sha512-9Ri+o0JYgehTaVBBDoMqIl8GXtbWg711O3srftcHhZ0dqnETqLaoIK0x17fUw9rFSlK/0NlsKe0Ahhyl5pXE2g=="], + "lru-cache": ["lru-cache@11.5.2", "", {}, "sha512-4pfM1Ff0x50o0tQwb5ucw/RzNyD0/YJME6IVcStalZuMWxdt3sR3huStTtxz4PUmvZfRguvDejasvQ2kifR11g=="], + "lucide-react": ["lucide-react@0.563.0", "", { "peerDependencies": { "react": "19.2.4" } }, "sha512-8dXPB2GI4dI8jV4MgUDGBeLdGk8ekfqVZ0BdLcrRzocGgG75ltNEmWS+gE7uokKF/0oSUuczNDT+g9hFJ23FkA=="], "lunr": ["lunr@2.3.9", "", {}, "sha512-zTU3DaZaF3Rt9rhN3uBMGQD3dD2/vFQqnvZCDv4dl5iOzq2IZQqTxu90r4E5J+nP70J3ilqVCrbho2eWaeW8Ow=="], @@ -601,6 +824,8 @@ "markdown-table": ["markdown-table@3.0.4", "", {}, "sha512-wiYz4+JrLyb/DqW2hkFJxP7Vd7JuTDm77fvbM8VfEQdmSMqcImWeeRbHwZjBjIFki/VaMK2BhFi7oUUZeM5bqw=="], + "marked": ["marked@16.4.2", "", { "bin": { "marked": "bin/marked.js" } }, "sha512-TI3V8YYWvkVf3KJe1dRkpnjs68JUPyEa5vjKrp1XEEJUAOaQc+Qj+L1qWbPd0SJuAdQkFU0h73sXXqwDYxsiDA=="], + "mdast-util-find-and-replace": ["mdast-util-find-and-replace@3.0.2", "", { "dependencies": { "@types/mdast": "4.0.4", "escape-string-regexp": "5.0.0", "unist-util-is": "6.0.1", "unist-util-visit-parents": "6.0.2" } }, "sha512-Tmd1Vg/m3Xz43afeNxDIhWRtFZgM2VLyaf4vSTYwudTyeuTneoL3qtWMA5jeLyz/O1vDJmmV4QuScFCA2tBPwg=="], "mdast-util-from-markdown": ["mdast-util-from-markdown@2.0.2", "", { "dependencies": { "@types/mdast": "4.0.4", "@types/unist": "3.0.3", "decode-named-character-reference": "1.3.0", "devlop": "1.1.0", "mdast-util-to-string": "4.0.0", "micromark": "4.0.2", "micromark-util-decode-numeric-character-reference": "2.0.2", "micromark-util-decode-string": "2.0.1", "micromark-util-normalize-identifier": "2.0.1", "micromark-util-symbol": "2.0.1", "micromark-util-types": "2.0.2", "unist-util-stringify-position": "4.0.0" } }, "sha512-uZhTV/8NBuw0WHkPTrCqDOl0zVe1BIng5ZtHoDk49ME1qqcjYmmLmOf0gELgcRMxN4w2iuIeVso5/6QymSrgmA=="], @@ -633,8 +858,12 @@ "mdast-util-to-string": ["mdast-util-to-string@4.0.0", "", { "dependencies": { "@types/mdast": "4.0.4" } }, "sha512-0H44vDimn51F0YwvxSJSm0eCDOJTRlmN0R1yBh4HLj9wiV1Dn0QoXGbvFAWj2hSItVTlCmBF1hqKlIyUBVFLPg=="], + "mdn-data": ["mdn-data@2.27.1", "", {}, "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ=="], + "mdurl": ["mdurl@2.0.0", "", {}, "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w=="], + "mermaid": ["mermaid@11.16.0", "", { "dependencies": { "@braintree/sanitize-url": "^7.1.2", "@iconify/utils": "^3.0.2", "@mermaid-js/parser": "^1.2.0", "@types/d3": "^7.4.3", "@upsetjs/venn.js": "^2.0.0", "cytoscape": "^3.33.3", "cytoscape-cose-bilkent": "^4.1.0", "cytoscape-fcose": "^2.2.0", "d3": "^7.9.0", "d3-sankey": "^0.12.3", "dagre-d3-es": "7.0.14", "dayjs": "^1.11.20", "dompurify": "^3.3.3", "es-toolkit": "^1.45.1", "katex": "^0.16.45", "khroma": "^2.1.0", "marked": "^16.3.0", "roughjs": "^4.6.6", "stylis": "^4.3.6", "ts-dedent": "^2.2.0", "uuid": "^11.1.0 || ^12 || ^13 || ^14.0.0" } }, "sha512-Zvm3kbstgdpvIJPPItlL7fppIZ3kibvc1oZIGxdvk9t6UFz6flv+Jw7FtRGKwfcI8OckmH04LqG6LlS6X4B1pA=="], + "micromark": ["micromark@4.0.2", "", { "dependencies": { "@types/debug": "4.1.12", "debug": "4.4.3", "decode-named-character-reference": "1.3.0", "devlop": "1.1.0", "micromark-core-commonmark": "2.0.3", "micromark-factory-space": "2.0.1", "micromark-util-character": "2.1.1", "micromark-util-chunked": "2.0.1", "micromark-util-combine-extensions": "2.0.1", "micromark-util-decode-numeric-character-reference": "2.0.2", "micromark-util-encode": "2.0.1", "micromark-util-normalize-identifier": "2.0.1", "micromark-util-resolve-all": "2.0.1", "micromark-util-sanitize-uri": "2.0.1", "micromark-util-subtokenize": "2.1.0", "micromark-util-symbol": "2.0.1", "micromark-util-types": "2.0.2" } }, "sha512-zpe98Q6kvavpCr1NPVSCMebCKfD7CA2NqZ+rykeNhONIJBpc1tFKt9hucLGwha3jNTNI8lHpctWJWoimVF4PfA=="], "micromark-core-commonmark": ["micromark-core-commonmark@2.0.3", "", { "dependencies": { "decode-named-character-reference": "1.3.0", "devlop": "1.1.0", "micromark-factory-destination": "2.0.1", "micromark-factory-label": "2.0.1", "micromark-factory-space": "2.0.1", "micromark-factory-title": "2.0.1", "micromark-factory-whitespace": "2.0.1", "micromark-util-character": "2.1.1", "micromark-util-chunked": "2.0.1", "micromark-util-classify-character": "2.0.1", "micromark-util-html-tag-name": "2.0.1", "micromark-util-normalize-identifier": "2.0.1", "micromark-util-resolve-all": "2.0.1", "micromark-util-subtokenize": "2.1.0", "micromark-util-symbol": "2.0.1", "micromark-util-types": "2.0.2" } }, "sha512-RDBrHEMSxVFLg6xvnXmb1Ayr2WzLAWjeSATAoxwKYJV94TeNavgoIdA0a9ytzDSVzBy2YKFK+emCPOEibLeCrg=="], @@ -729,9 +958,13 @@ "oniguruma-to-es": ["oniguruma-to-es@4.3.4", "", { "dependencies": { "oniguruma-parser": "0.12.1", "regex": "6.1.0", "regex-recursion": "6.0.2" } }, "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA=="], + "package-manager-detector": ["package-manager-detector@1.7.0", "", {}, "sha512-xg1eHpwYL/D/HEdWw2goFZP6vV0FH7W+PZ5rFkGjdIDLtxq7EkzBUeT3m+lndYCt8wKbmofUu1MUdMCXkCk9ZQ=="], + "parse-entities": ["parse-entities@4.0.2", "", { "dependencies": { "@types/unist": "2.0.11", "character-entities-legacy": "3.0.0", "character-reference-invalid": "2.0.1", "decode-named-character-reference": "1.3.0", "is-alphanumerical": "2.0.1", "is-decimal": "2.0.1", "is-hexadecimal": "2.0.1" } }, "sha512-GG2AQYWoLgL877gQIKeRPGO1xF9+eG1ujIb5soS5gPvLQ1y2o8FL90w2QWNdf9I361Mpp7726c+lj3U0qK1uGw=="], - "parse5": ["parse5@7.3.0", "", { "dependencies": { "entities": "6.0.1" } }, "sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw=="], + "parse5": ["parse5@8.0.1", "", { "dependencies": { "entities": "^8.0.0" } }, "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw=="], + + "path-data-parser": ["path-data-parser@0.1.0", "", {}, "sha512-NOnmBpt5Y2RWbuv0LMzsayp3lVylAHLPUTut412ZA3l+C4uw4ZVkQbjShYCQ8TCpUMdPapr4YjUqLYD6v68j+w=="], "path-key": ["path-key@3.1.1", "", {}, "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="], @@ -741,6 +974,10 @@ "picomatch": ["picomatch@4.0.3", "", {}, "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q=="], + "points-on-curve": ["points-on-curve@0.2.0", "", {}, "sha512-0mYKnYYe9ZcqMCWhUjItv/oHjvgEsfKvnUTg8sAtnHr3GVy7rGkXCb6d5cSyqrWqL4k81b9CPg3urd+T7aop3A=="], + + "points-on-path": ["points-on-path@0.2.1", "", { "dependencies": { "path-data-parser": "0.1.0", "points-on-curve": "0.2.0" } }, "sha512-25ClnWWuw7JbWZcgqY/gJ4FQWadKxGWk+3kR/7kD0tCaDtPPMj7oHu2ToLaVhfpnHrZzYby2w6tUA0eOIuUg8g=="], + "postcss": ["postcss@8.5.6", "", { "dependencies": { "nanoid": "3.3.11", "picocolors": "1.1.1", "source-map-js": "1.2.1" } }, "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="], "postcss-selector-parser": ["postcss-selector-parser@7.1.1", "", { "dependencies": { "cssesc": "3.0.0", "util-deprecate": "1.0.2" } }, "sha512-orRsuYpJVw8LdAwqqLykBj9ecS5/cRHlI5+nvTo8LcCKmzDmqVORXtOIYEEQuL9D4BxtA1lm5isAqzQZCoQ6Eg=="], @@ -755,6 +992,8 @@ "protobufjs": ["protobufjs@7.5.4", "", { "dependencies": { "@protobufjs/aspromise": "1.1.2", "@protobufjs/base64": "1.1.2", "@protobufjs/codegen": "2.0.4", "@protobufjs/eventemitter": "1.1.0", "@protobufjs/fetch": "1.1.0", "@protobufjs/float": "1.0.2", "@protobufjs/inquire": "1.1.0", "@protobufjs/path": "1.1.2", "@protobufjs/pool": "1.1.0", "@protobufjs/utf8": "1.1.0", "@types/node": "25.2.3", "long": "5.3.2" } }, "sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg=="], + "punycode": ["punycode@2.3.1", "", {}, "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg=="], + "punycode.js": ["punycode.js@2.3.1", "", {}, "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA=="], "query-selector-shadow-dom": ["query-selector-shadow-dom@1.0.1", "", {}, "sha512-lT5yCqEBgfoMYpf3F2xQRK7zEr1rhIIZuceDK6+xRkJQ4NMbHTwXqk4NkwDwQMNqXgG9r9fyHnzwNVs6zV5KRw=="], @@ -803,8 +1042,20 @@ "remark-stringify": ["remark-stringify@11.0.0", "", { "dependencies": { "@types/mdast": "4.0.4", "mdast-util-to-markdown": "2.1.2", "unified": "11.0.5" } }, "sha512-1OSmLd3awB/t8qdoEOMazZkNsfVTeY4fTsgzcQFdXNq8ToTN4ZGwrMnlda4K6smTFKD+GRV6O48i6Z4iKgPPpw=="], + "require-from-string": ["require-from-string@2.0.2", "", {}, "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw=="], + "resolve-pkg-maps": ["resolve-pkg-maps@1.0.0", "", {}, "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw=="], + "robust-predicates": ["robust-predicates@3.0.3", "", {}, "sha512-NS3levdsRIUOmiJ8FZWCP7LG3QpJyrs/TE0Zpf1yvZu8cAJJ6QMW92H1c7kWpdIHo8RvmLxN/o2JXTKHp74lUA=="], + + "roughjs": ["roughjs@4.6.6", "", { "dependencies": { "hachure-fill": "^0.5.2", "path-data-parser": "^0.1.0", "points-on-curve": "^0.2.0", "points-on-path": "^0.2.1" } }, "sha512-ZUz/69+SYpFN/g/lUlo2FXcIjRkSu3nDarreVdGGndHEBJ6cXPdKguS8JGxwj5HA5xIbVKSmLgr5b3AWxtRfvQ=="], + + "rw": ["rw@1.3.3", "", {}, "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="], + + "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="], + + "saxes": ["saxes@6.0.0", "", { "dependencies": { "xmlchars": "^2.2.0" } }, "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA=="], + "scheduler": ["scheduler@0.27.0", "", {}, "sha512-eNv+WrVbKu1f3vbYJT/xtiF5syA5HPIMtf9IgY/nKg0sWqzAUEvqY/xm7OcZc/qafLx/iO9FgOmeSAp4v5ti/Q=="], "scroll-into-view-if-needed": ["scroll-into-view-if-needed@3.1.0", "", { "dependencies": { "compute-scroll-into-view": "3.1.1" } }, "sha512-49oNpRjWRvnU8NyGVmUaYG4jtTkNonFZI86MmGRDqBphEK2EXT9gdEUoQPZhuBM8yWHxCWbobltqYO5M4XrUvQ=="], @@ -833,6 +1084,10 @@ "styled-jsx": ["styled-jsx@5.1.6", "", { "dependencies": { "client-only": "0.0.1" }, "peerDependencies": { "react": "19.2.4" } }, "sha512-qSVyDTeMotdvQYoHWLNGwRFJHC+i+ZvdBRYosOFgC+Wg1vx4frN2/RG/NA7SYqqvKNLf39P2LSRA2pu6n0XYZA=="], + "stylis": ["stylis@4.4.0", "", {}, "sha512-5Z9ZpRzfuH6l/UAvCPAPUo3665Nk2wLaZU3x+TLHKVzIz33+sbJqbtrYoC3KD4/uVOr2Zp+L0LySezP9OHV9yA=="], + + "symbol-tree": ["symbol-tree@3.2.4", "", {}, "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw=="], + "tailwind-merge": ["tailwind-merge@3.4.0", "", {}, "sha512-uSaO4gnW+b3Y2aWoWfFpX62vn2sR3skfhbjsEnaBI81WD1wBLlHZe5sWf0AqjksNdYTbGBEd0UasQMT3SNV15g=="], "tailwindcss": ["tailwindcss@4.1.18", "", {}, "sha512-4+Z+0yiYyEtUVCScyfHCxOYP06L5Ne+JiHhY2IjR2KWMIWhJOYZKLSGZaP5HkZ8+bY0cxfzwDE5uOmzFXyIwxw=="], @@ -843,10 +1098,20 @@ "tinyglobby": ["tinyglobby@0.2.15", "", { "dependencies": { "fdir": "6.5.0", "picomatch": "4.0.3" } }, "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ=="], + "tldts": ["tldts@7.4.7", "", { "dependencies": { "tldts-core": "^7.4.7" }, "bin": { "tldts": "bin/cli.js" } }, "sha512-56L0/9HELHSsG1bFCzay8UoLxzRL7kpFf7Wl5q/kSYwiSJGACvro61xnKzPNM+SadxllzdtXsKDSXE7HPeqIAw=="], + + "tldts-core": ["tldts-core@7.4.7", "", {}, "sha512-rNlAI8fKn/JckBMUSbNL/ES2kmDiurWaE49l+ikwEc9A6lFR7gMx9AhgQMQKBK4H5w4pKLH64JzZfB99uRsGNQ=="], + + "tough-cookie": ["tough-cookie@6.0.2", "", { "dependencies": { "tldts": "^7.0.5" } }, "sha512-exgYmnmL/sJpR3upZfXG5PoatXQii55xAiXGXzY+sROLZ/Y+SLcp9PgJNI9Vz37HpQ74WvDcLT8eqm+kV3FzrA=="], + + "tr46": ["tr46@6.0.0", "", { "dependencies": { "punycode": "^2.3.1" } }, "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw=="], + "trim-lines": ["trim-lines@3.0.1", "", {}, "sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg=="], "trough": ["trough@2.2.0", "", {}, "sha512-tmMpK00BjZiUyVyvrBK7knerNgmgvcV/KLVyuma/SC+TQN167GrMRciANTz09+k3zW8L8t60jWO1GpfkZdjTaw=="], + "ts-dedent": ["ts-dedent@2.3.0", "", {}, "sha512-JfJeIHke7y2egdGGgRAvpCwYFUsHlM2gPcrVOxFkznt/4uzQ7HFmvE63iFHVLBJNDuyDOQgijDK/tXH/f6Msjg=="], + "tslib": ["tslib@2.8.1", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="], "tsx": ["tsx@4.21.0", "", { "dependencies": { "esbuild": "0.27.3", "get-tsconfig": "4.13.6" }, "optionalDependencies": { "fsevents": "2.3.3" }, "bin": { "tsx": "dist/cli.mjs" } }, "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw=="], @@ -861,7 +1126,9 @@ "uc.micro": ["uc.micro@2.1.0", "", {}, "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A=="], - "undici-types": ["undici-types@7.16.0", "", {}, "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="], + "undici": ["undici@7.28.0", "", {}, "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA=="], + + "undici-types": ["undici-types@7.28.0", "", {}, "sha512-LJAfY+2w6HGeT8d8J1wNQsUGUEGio6NWWpwdwurQe4f6oojzCFuGLizl1KSve4irsTxyLly1QhEeE6iapdaIvQ=="], "unified": ["unified@11.0.5", "", { "dependencies": { "@types/unist": "3.0.3", "bail": "2.0.2", "devlop": "1.1.0", "extend": "3.0.2", "is-plain-obj": "4.1.0", "trough": "2.2.0", "vfile": "6.0.3" } }, "sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA=="], @@ -885,18 +1152,32 @@ "util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="], + "uuid": ["uuid@14.0.1", "", { "bin": { "uuid": "dist-node/bin/uuid" } }, "sha512-6ZxzVpzDXDa3bJWaHilVayA+BH/1zmxCJoVgvmqJnid/gPoKHxUrS/aC/T6LGQtNHT+XHG9fXPJB4d+IrU30Ew=="], + "vfile": ["vfile@6.0.3", "", { "dependencies": { "@types/unist": "3.0.3", "vfile-message": "4.0.3" } }, "sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q=="], "vfile-location": ["vfile-location@5.0.3", "", { "dependencies": { "@types/unist": "3.0.3", "vfile": "6.0.3" } }, "sha512-5yXvWDEgqeiYiBe1lbxYF7UMAIm/IcopxMHrMQDq3nvKcjPKIhZklUKL+AE7J7uApI4kwe2snsK+eI6UTj9EHg=="], "vfile-message": ["vfile-message@4.0.3", "", { "dependencies": { "@types/unist": "3.0.3", "unist-util-stringify-position": "4.0.0" } }, "sha512-QTHzsGd1EhbZs4AsQ20JX1rC3cOlt/IWJruk893DfLRr57lcnOeMaWG4K0JrRta4mIJZKth2Au3mM3u03/JWKw=="], + "w3c-xmlserializer": ["w3c-xmlserializer@5.0.0", "", { "dependencies": { "xml-name-validator": "^5.0.0" } }, "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA=="], + "web-namespaces": ["web-namespaces@2.0.1", "", {}, "sha512-bKr1DkiNa2krS7qxNtdrtHAmzuYGFQLiQ13TsorsdT6ULTkPLKuu5+GsFpDlg6JFjUTwX2DyhMPG2be8uPrqsQ=="], "web-vitals": ["web-vitals@5.1.0", "", {}, "sha512-ArI3kx5jI0atlTtmV0fWU3fjpLmq/nD3Zr1iFFlJLaqa5wLBkUSzINwBPySCX/8jRyjlmy1Volw1kz1g9XE4Jg=="], + "webidl-conversions": ["webidl-conversions@8.0.1", "", {}, "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ=="], + + "whatwg-mimetype": ["whatwg-mimetype@5.0.0", "", {}, "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw=="], + + "whatwg-url": ["whatwg-url@16.0.1", "", { "dependencies": { "@exodus/bytes": "^1.11.0", "tr46": "^6.0.0", "webidl-conversions": "^8.0.1" } }, "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw=="], + "which": ["which@2.0.2", "", { "dependencies": { "isexe": "2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="], + "xml-name-validator": ["xml-name-validator@5.0.0", "", {}, "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg=="], + + "xmlchars": ["xmlchars@2.2.0", "", {}, "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw=="], + "yaml": ["yaml@2.8.2", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A=="], "zod": ["zod@4.3.6", "", {}, "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg=="], @@ -921,17 +1202,35 @@ "@radix-ui/react-primitive/@radix-ui/react-slot": ["@radix-ui/react-slot@1.2.3", "", { "dependencies": { "@radix-ui/react-compose-refs": "1.1.2" }, "optionalDependencies": { "@types/react": "19.2.14" }, "peerDependencies": { "react": "19.2.4" } }, "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A=="], + "@types/node/undici-types": ["undici-types@7.16.0", "", {}, "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="], + + "cytoscape-fcose/cose-base": ["cose-base@2.2.0", "", { "dependencies": { "layout-base": "^2.0.0" } }, "sha512-AzlgcsCbUMymkADOJtQm3wO9S3ltPfYOFD5033keQn9NJzIbtnZj+UdBJe7DYml/8TdbtHJW3j58SOnKhWY/5g=="], + + "d3-dsv/commander": ["commander@7.2.0", "", {}, "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw=="], + + "d3-sankey/d3-array": ["d3-array@2.12.1", "", { "dependencies": { "internmap": "^1.0.0" } }, "sha512-B0ErZK/66mHtEsR1TkPEEkwdy+WDesimkM5gpZr5Dsg54BiTA5RXtYW5qTLIAcekaS9xfZrzBLF/OAkB3Qn1YQ=="], + + "d3-sankey/d3-shape": ["d3-shape@1.3.7", "", { "dependencies": { "d3-path": "1" } }, "sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw=="], + "fumadocs-core/next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "2.9.19", "caniuse-lite": "1.0.30001769", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "@opentelemetry/api": "1.9.0", "sharp": "0.34.5" }, "peerDependencies": { "react": "19.2.4", "react-dom": "19.2.4" }, "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="], "fumadocs-mdx/next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "2.9.19", "caniuse-lite": "1.0.30001769", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "@opentelemetry/api": "1.9.0", "sharp": "0.34.5" }, "peerDependencies": { "react": "19.2.4", "react-dom": "19.2.4" }, "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="], "fumadocs-ui/next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "2.9.19", "caniuse-lite": "1.0.30001769", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "@opentelemetry/api": "1.9.0", "sharp": "0.34.5" }, "peerDependencies": { "react": "19.2.4", "react-dom": "19.2.4" }, "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="], + "hast-util-raw/parse5": ["parse5@7.3.0", "", { "dependencies": { "entities": "6.0.1" } }, "sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw=="], + + "markdown-it/entities": ["entities@4.5.0", "", {}, "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw=="], + "next/postcss": ["postcss@8.4.31", "", { "dependencies": { "nanoid": "3.3.11", "picocolors": "1.1.1", "source-map-js": "1.2.1" } }, "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ=="], "parse-entities/@types/unist": ["@types/unist@2.0.11", "", {}, "sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA=="], - "parse5/entities": ["entities@6.0.1", "", {}, "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g=="], + "posthog-js/dompurify": ["dompurify@3.3.1", "", { "optionalDependencies": { "@types/trusted-types": "2.0.7" } }, "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q=="], + + "cytoscape-fcose/cose-base/layout-base": ["layout-base@2.0.1", "", {}, "sha512-dp3s92+uNI1hWIpPGH3jK2kxE2lMjdXdr+DH8ynZHpd6PUlH6x6cbuXnoMmiNumznqaNO31xu9e79F0uuZ0JFg=="], + + "d3-sankey/d3-shape/d3-path": ["d3-path@1.0.9", "", {}, "sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg=="], "fumadocs-core/next/@next/env": ["@next/env@16.1.6", "", {}, "sha512-N1ySLuZjnAtN3kFnwhAwPvZah8RJxKasD7x1f8shFqhncnWZn4JMfg37diLNuoHsLAlrDfM3g4mawVdtAG8XLQ=="], @@ -992,5 +1291,7 @@ "fumadocs-ui/next/@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.1.6", "", { "os": "win32", "cpu": "x64" }, "sha512-NRfO39AIrzBnixKbjuo2YiYhB6o9d8v/ymU9m/Xk8cyVk+k7XylniXkHwjs4s70wedVffc6bQNbufk5v0xEm0A=="], "fumadocs-ui/next/postcss": ["postcss@8.4.31", "", { "dependencies": { "nanoid": "3.3.11", "picocolors": "1.1.1", "source-map-js": "1.2.1" } }, "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ=="], + + "hast-util-raw/parse5/entities": ["entities@6.0.1", "", {}, "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g=="], } } diff --git a/content/docs/concepts/compare/index.mdx b/content/docs/concepts/compare/index.mdx new file mode 100644 index 0000000..5c34ec1 --- /dev/null +++ b/content/docs/concepts/compare/index.mdx @@ -0,0 +1,9 @@ +--- +title: Comparisons +description: "How CipherStash compares to other approaches to protecting data." +type: concept +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/concepts/compare/meta.json b/content/docs/concepts/compare/meta.json new file mode 100644 index 0000000..76e9696 --- /dev/null +++ b/content/docs/concepts/compare/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Comparisons", + "icon": "Scale", + "pages": ["..."] +} diff --git a/content/docs/concepts/index.mdx b/content/docs/concepts/index.mdx new file mode 100644 index 0000000..3d36567 --- /dev/null +++ b/content/docs/concepts/index.mdx @@ -0,0 +1,9 @@ +--- +title: Concepts +description: "How CipherStash works and how to think about searchable encryption, keys, and identity." +type: concept +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/concepts/meta.json b/content/docs/concepts/meta.json new file mode 100644 index 0000000..49d9122 --- /dev/null +++ b/content/docs/concepts/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Concepts", + "icon": "Lightbulb", + "pages": ["...", "compare"] +} diff --git a/content/docs/concepts/searchable-encryption.mdx b/content/docs/concepts/searchable-encryption.mdx new file mode 100644 index 0000000..689d1fd --- /dev/null +++ b/content/docs/concepts/searchable-encryption.mdx @@ -0,0 +1,9 @@ +--- +title: Searchable encryption +description: "How querying encrypted data works, and exactly what each index term reveals." +type: concept +--- + +This page is being rewritten as part of the docs V2 overhaul ([CIP-3333](https://linear.app/cipherstash/issue/CIP-3333)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, the current version lives in the [existing docs](/stack/cipherstash/encryption/searchable-encryption). diff --git a/content/docs/get-started/choose-your-stack.mdx b/content/docs/get-started/choose-your-stack.mdx new file mode 100644 index 0000000..94f9e5c --- /dev/null +++ b/content/docs/get-started/choose-your-stack.mdx @@ -0,0 +1,105 @@ +--- +title: Choose your stack +description: "Pick an integration path: SDK or Proxy, your Postgres platform, your ORM, and your identity provider." +type: guide +components: [encryption, proxy, eql, platform] +audience: [developer, cto] +--- + +Four decisions, in order. The first one matters most; the rest usually follow from what you already run. + +## 1. SDK or Proxy + +| | [Stack SDK](/reference/stack) | [Proxy](/reference/proxy) | +|---|---|---| +| Where encryption happens | In your application process | In the proxy, which you run | +| Application changes | Encrypt and decrypt calls, or an ORM wrapper that adds them for you | Point your connection string at the proxy | +| Best when | You own the code and want fine-grained control | You cannot change the application, or it isn't TypeScript | +| Language | TypeScript / JavaScript | Any. It speaks the Postgres wire protocol | +| Runs where | Your app | A container or sidecar in your infrastructure | + +Both produce the same ciphertext and both speak [EQL](/reference/eql), so this is not a one-way door. You can move a table from one to the other without re-encrypting it. + +Start with the SDK unless you already know you can't change the application. + +## 2. Your Postgres + +EQL installs into any Postgres you can connect to. It needs no extension, no superuser, and no `postgresql.conf` changes. + +| Platform | Works | Notes | +|---|---|---| +| Supabase | Yes | [Supabase integration](/integrations/supabase). Expose the `eql_v3` schema in the dashboard. | +| Neon, RDS, Aurora, Cloud SQL | Yes | `stash eql install` detects a non-superuser role and adapts. | +| Self-hosted Postgres | Yes | Full operator-class support, so the ORE ordering mechanism is available. | +| Postgres behind PgBouncer | Yes | Transaction pooling is fine. Proxy has its own pooling. | +| DynamoDB | Yes, without EQL | [DynamoDB integration](/stack/cipherstash/encryption/dynamodb). Encrypted attributes and HMAC key lookups; no EQL, because there's no Postgres. | +| MySQL, MongoDB, others | Not yet | The SDK still encrypts values for you, but nothing is queryable server-side. | + + +Managed platforms usually block custom operator class creation. That's why the default ordering mechanism is moving to OPE, which indexes under Postgres's default btree operator class. See [SEM specifiers](/reference/eql/core-concepts#sem-specifiers). + + +## 3. Your ORM + +| Query layer | Path | What it looks like | +|---|---|---| +| Drizzle | [Drizzle integration](/stack/cipherstash/encryption/drizzle) | An `encryptedType` column and typed query operators. Your Drizzle code keeps its shape. | +| Supabase JS | [Supabase integration](/integrations/supabase) | `encryptedSupabase` wraps the client. `.eq()`, `.like()`, `.gt()` keep working. | +| Prisma | [Prisma integration](/stack/cipherstash/encryption/prisma-next) | Encrypt in the data layer around Prisma calls. | +| Raw SQL | [Quickstart](/get-started/quickstart) | Encrypt the value, insert it, cast the query operand. | +| An ORM we don't list | The SDK | Encrypt before write, decrypt after read. Every ORM supports that. | + +If you use no ORM, nothing is missing. The SDK's `encrypt` and `encryptQuery` are the whole surface. + +## 4. Identity binding + +Reach for this when a value should be decryptable only by the user it belongs to, rather than by anything holding the application's credentials. It is also what shrinks the blast radius of a compromised application process. + +It requires an OIDC provider, registered on the [OIDC providers](https://dashboard.cipherstash.com/workspaces/_/oidc-providers) page in the Dashboard. + +| Provider | Supported | +|---|---| +| Supabase Auth | Yes | +| Clerk | Yes | +| Auth0 | Yes | +| Okta | Yes | +| Any OIDC issuer | Yes, if it publishes a discovery endpoint | + +See [provable access control](/solutions/provable-access) for what this buys you, and what it does not. + +## Where CipherStash sits among the encryption you already have + +Encryption at rest and in transit are not alternatives to this. They protect different things, and you should keep both. + +| | At rest | In transit | In use | +|---|---|---|---| +| Protects the disk | Yes | No | Yes | +| Protects the wire | No | Yes | Yes | +| Protects during a query | No | No | Yes | +| Plaintext visible to the database | Yes | Yes | **No** | +| Queryable without decrypting | n/a | n/a | Yes | + +A database breach defeats encryption at rest, because the database decrypts on read. That is the gap this fills. + +## From development to production + +| Stage | Credentials | Setup | +|---|---|---| +| Local development | Device-based | `stash init` per developer. No environment variables. | +| CI and staging | Machine | An application client key, plus `CS_*` environment variables. | +| Production | Machine | Same, with the client key held in your secret manager. | + +Device auth gives each developer their own identity, so local decryptions are attributable. There's no interactive device in CI, hence the switch. See [going to production](/stack/deploy/going-to-production). + +## Still not sure + +A [discovery session](https://cipherstash.com/contact) is a 60-minute conversation with our engineering team. No slides. Bring whoever owns the data layer, and a compliance lead if that's someone else. + +Worth thinking through beforehand: + +- Which fields are sensitive, and which regulations cover them. +- Whether you need those fields **searchable**, or only stored and retrieved. Encrypt-only columns carry no index terms and leak nothing. +- Whether you need per-user decryption, or per-tenant isolation, or both. +- Your database, ORM, and deployment target, plus any restriction on native Node modules. + +You'll leave with a recommended path and answers to whatever is blocking you. diff --git a/content/docs/get-started/index.mdx b/content/docs/get-started/index.mdx new file mode 100644 index 0000000..14f25bc --- /dev/null +++ b/content/docs/get-started/index.mdx @@ -0,0 +1,24 @@ +--- +title: Get started +navTitle: Overview +description: "Encrypt your first field in ten minutes, then pick the integration path that matches your stack." +type: tutorial +audience: [developer] +--- + +CipherStash encrypts your data at the field level, in your application, and keeps the ciphertext queryable in Postgres. The database never sees plaintext, and neither do we. + +This section gets you from nothing to an encrypted, queryable field. It owns no mechanics: each page links to the reference that does. + +## Start here + +- **[What is CipherStash?](/get-started/what-is-cipherstash)** is the mental model. What the pieces are, what the trade is, and which door to walk through. +- **[Quickstart](/get-started/quickstart)** is ten minutes of typing. Encrypt a field, store it, query it without decrypting it, and read it back. It works against any Postgres: Supabase, Neon, RDS, or a container. +- **[Choose your stack](/get-started/choose-your-stack)** picks your integration path: SDK or Proxy, your platform, your ORM, and your identity provider. + +## Then pick your path + +- **Adopting CipherStash into an existing app?** [Integrations](/integrations) covers the platforms, ORMs, frameworks, and auth providers that wrap your existing client, so your queries keep the shape they already have. +- **Can't change the application?** [CipherStash Proxy](/reference/proxy) sits in front of Postgres and encrypts on the wire. +- **Want to understand it before you install it?** [Concepts](/concepts) explains searchable encryption, key management, and identity-aware encryption. +- **Evaluating for a security review?** [Architecture & security](/security) is written to be read end to end, starting with [Cryptography](/security/cryptography). diff --git a/content/docs/get-started/meta.json b/content/docs/get-started/meta.json new file mode 100644 index 0000000..a1ffe31 --- /dev/null +++ b/content/docs/get-started/meta.json @@ -0,0 +1,11 @@ +{ + "title": "Get started", + "icon": "Rocket", + "pages": [ + "index", + "what-is-cipherstash", + "quickstart", + "choose-your-stack", + "..." + ] +} diff --git a/content/docs/get-started/quickstart.mdx b/content/docs/get-started/quickstart.mdx new file mode 100644 index 0000000..999ff0d --- /dev/null +++ b/content/docs/get-started/quickstart.mdx @@ -0,0 +1,203 @@ +--- +title: Quickstart +description: "Encrypt, store, query, and decrypt your first field in Postgres, using the stash CLI and @cipherstash/stack." +type: tutorial +components: [encryption, eql, cli, platform] +audience: [developer] +verifiedAgainst: + stack: "0.19.0" + cli: "0.17.1" + eql: "3.0.0" +--- + +CipherStash encrypts your data at the field level. Every value gets its own encryption key, and the database never sees plaintext. A breach, a compromised agent, or a curious insider sees ciphertext. + +By the end of this page you will have encrypted a field, stored it in Postgres, queried it **without decrypting it**, and read it back. It takes about ten minutes and works with any Postgres: Supabase, Neon, RDS, or a Docker container. + +## Before you start + +- Node.js 18 or later. +- A Postgres database you can connect to. +- A [CipherStash account](https://dashboard.cipherstash.com/sign-up). The free plan is enough. + + + + + +## Initialize your project + +```bash cta cta-type="quickstart" example-id="quickstart-stash-init" +npx stash init +``` + +This opens a browser for device-based authentication, so local development needs no environment variables and no shared secrets. `init` then: + +1. Connects to your workspace. +2. Resolves your database connection and runs `stash eql install`, which installs [EQL](/reference/eql), the Postgres surface that makes encrypted columns queryable. +3. Installs `@cipherstash/stack` if it isn't already present. +4. Scaffolds an encryption module at `src/encryption/index.ts`. +5. Writes `.cipherstash/context.json` with what it detected about your project. + +See the [CLI reference](/reference/cli/init) for the flags, including `--supabase`, `--drizzle`, and `--prisma-next`. + + + + + +## Install EQL v3 + +This guide, and the rest of the EQL reference, targets **EQL v3**. `stash init` installs EQL v2 by default today, so ask for v3 explicitly: + +```bash example-id="quickstart-eql-v3" +npx stash eql install --eql-version 3 --force +``` + +`--force` reinstalls over the v2 schema that `init` just laid down. On a new database with no encrypted data, that is safe: there is nothing to migrate. + +Check what you ended up with: + +```bash +npx stash eql status +``` + + +`--eql-version` accepts `2` or `3` and **defaults to `2`** in `stash` 0.17.1. The default becomes `3` in a future release, at which point this step goes away. Pass the flag until then, so you know which generation you are on rather than inheriting a default that is about to change. + +v3 installs directly against the database, so the `--drizzle`, `--migration`, and `--latest` flags do not apply to it. See [installing EQL](/reference/eql) for the full options, including installing across several databases. + + + + + + +## Define what to encrypt + +`init` scaffolds `src/encryption/index.ts`. It declares which columns are encrypted, and exports a ready-to-use client. Edit it to match your table: + +```typescript filename="src/encryption/index.ts" +import { Encryption, encryptedTable, encryptedColumn } from "@cipherstash/stack" + +export const users = encryptedTable("users", { + email: encryptedColumn("email").equality(), +}) + +export const encryptionClient = await Encryption({ schemas: [users] }) +``` + +`.equality()` declares a **capability**: it is what makes `WHERE email = ?` work later. Add `.orderAndRange()` for `ORDER BY` and comparisons, or `.freeTextSearch()` for token containment. Declare only the capabilities you query on, because each one stores an extra index term alongside the ciphertext. + + +Prefer to have an agent do this? `npx stash plan` inspects your project and drafts `.cipherstash/plan.md` listing the columns worth encrypting. Review it, then `npx stash impl` applies it. This page does it by hand so you can see each moving part. + + + + + + +## Create the encrypted column + +An encrypted column is typed with an EQL domain. The domain you pick has to match the capability you declared: `.equality()` on a text column means `public.text_eq`. + +```sql filename="schema.sql" +CREATE TABLE users ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + email public.text_eq +); +``` + +The type is what fixes the column's searchable surface. There is no separate configuration table. See [core concepts](/reference/eql/core-concepts) for the full variant model. + + + + + +## Encrypt a value and store it + +```typescript filename="src/encrypt.ts" +import { encryptionClient, users } from "./encryption" + +const encrypted = await encryptionClient.encrypt("alice@example.com", { + column: users.email, + table: users, +}) + +if (encrypted.failure) { + throw new Error(`Encryption failed: ${encrypted.failure.message}`) +} + +await db.query("INSERT INTO users (email) VALUES ($1)", [encrypted.data]) +``` + +Every operation returns a `Result`: either `data` or `failure`, never both. Encryption happens in your process, so the plaintext never leaves it. + + + + + +## Query without decrypting + +Encrypt the search term, then use it in an ordinary `WHERE` clause. + +```typescript filename="src/query.ts" +import { encryptionClient, users } from "./encryption" + +const term = await encryptionClient.encryptQuery("alice@example.com", { + column: users.email, + table: users, +}) + +if (term.failure) { + throw new Error(`Query encryption failed: ${term.failure.message}`) +} + +const rows = await db.query( + "SELECT id, email FROM users WHERE email = $1::public.text_eq", + [term.data], +) +``` + +The cast matters. An encrypted operator only resolves against a **typed operand**, so `$1::public.text_eq` is what tells Postgres to compare encrypted terms rather than fall back to raw `jsonb` semantics. See [typed operands](/reference/eql/core-concepts). + +Postgres compares ciphertext against ciphertext. It never sees either plaintext. + + +`LIKE` and `ILIKE` do not work on encrypted columns, in any variant. Free-text matching uses bloom-filter token containment (`@>`) on a `text_match` or `text_search` column instead. See [text](/reference/eql/text). + + + + + + +## Decrypt + +```typescript filename="src/decrypt.ts" +const decrypted = await encryptionClient.decrypt(row.email) + +if (decrypted.failure) { + throw new Error(`Decryption failed: ${decrypted.failure.message}`) +} + +console.log(decrypted.data) // "alice@example.com" +``` + +`decrypt` takes the encrypted payload and nothing else. The payload carries the key ID it needs. + + + + + +## What you just built + +You encrypted a field, stored it, queried it without decrypting, and read it back. Underneath: + +- **ZeroKMS** returned a key seed, which your application processed with its client key to derive a **unique data key for that value**. The data key existed in your memory for one operation and was then discarded. See [cryptography](/security/cryptography). +- **Your client key** never left your infrastructure. Without it, nothing decrypts, including CipherStash. +- **Your keyset** is the isolation boundary. Data encrypted under one keyset cannot be decrypted with another, which is how you separate tenants or environments. +- **The index term** stored alongside the ciphertext is what let Postgres answer the query. Each capability you declare has a bounded, published leakage profile: an equality term lets an observer see which rows share a value, and nothing more. Declare only the capabilities you query on, so that what a column reveals stays within what your threat model already tolerates. See [searchable encryption](/concepts/searchable-encryption). + +## Next steps + +- **Using an ORM or Supabase?** The [Drizzle](/stack/cipherstash/encryption/drizzle) and [Supabase](/integrations/supabase) integrations wrap your existing client so queries look normal. +- **No app changes possible?** [CipherStash Proxy](/reference/proxy) sits in front of Postgres and does this transparently. +- **Bind decryption to a user.** [Provable access control](/solutions/provable-access) ties a value to the identity that encrypted it. +- **Ready to deploy?** [Going to production](/stack/deploy/going-to-production) covers the switch from device auth to machine credentials. diff --git a/content/docs/get-started/what-is-cipherstash.mdx b/content/docs/get-started/what-is-cipherstash.mdx new file mode 100644 index 0000000..49d4fe1 --- /dev/null +++ b/content/docs/get-started/what-is-cipherstash.mdx @@ -0,0 +1,113 @@ +--- +title: What is CipherStash? +description: "Field-level encryption that stays queryable in Postgres: the mental model, the pieces, and which door to walk through." +type: concept +components: [encryption, platform, eql, proxy] +audience: [developer, cto, ciso] +--- + +CipherStash encrypts individual fields in your application, before they reach the database, and keeps them queryable in Postgres. The database stores ciphertext and can still answer `WHERE`, `ORDER BY`, and containment queries against it. + +A breach yields ciphertext. So does a compromised agent, an over-permissioned service, and a curious insider. + +## The problem + +Encrypting a column has always meant losing the query. So teams encrypt at rest, which protects the disk and nothing else: the moment a query runs, the database has plaintext, and so does anyone who reached the database. + +That was tolerable when the thing reading your data was a person. It is less so now that it is an agent running on application credentials, at machine speed, one prompt injection away from exfiltration. + +## The mental model + +Three ideas carry the whole product. + +**Encryption happens in your process.** Not in the database, not on our infrastructure. Plaintext never leaves your application. + +**Every value gets its own key.** Not a table key or a column key. A per-value key, derived for one operation and discarded. Compromising one value tells an attacker nothing about the next. + +**Ciphertext stays queryable.** Alongside each encrypted value, the client stores index terms that let Postgres compare ciphertext without decrypting it. Which terms a column carries is something you choose, and it decides what the database could infer: see [choosing what each column reveals](#choosing-what-each-column-reveals). + +## The pieces + +```mermaid +flowchart TB + subgraph app["Your application"] + sdk["Stack SDK
encrypt / decrypt"] + end + + subgraph db["Your Postgres"] + eql["EQL
encrypted column types
and operators"] + end + + subgraph platform["CipherStash platform"] + zerokms["ZeroKMS
key seeds"] + cts["CTS
identity tokens"] + end + + proxy["Proxy
speaks EQL for you"] + + sdk -- ciphertext + index terms --> eql + proxy -- ciphertext + index terms --> eql + sdk <-- key seed --> zerokms + proxy <-- key seed --> zerokms + cts -. binds decryption
to an identity .-> sdk +``` + +| Piece | What it does | When you need it | +|---|---|---| +| [Stack SDK](/reference/stack) | Encrypts and decrypts values in your application | The default path. Start here. | +| [EQL](/reference/eql) | The Postgres surface: encrypted column types, operators, and term extractors | Always, if the data lives in Postgres. Installed once per database. | +| [Proxy](/reference/proxy) | Sits in front of Postgres and speaks EQL for you | When you cannot change the application | +| ZeroKMS | Returns a key seed per value; never sees your client key or a data key | Always. See [cryptography](/security/cryptography). | +| CTS | Federates your identity provider so decryption can be bound to a user | Only for [identity-aware encryption](/solutions/provable-access) | + +You rarely need all of them at once. The Stack SDK plus EQL is the common case. Proxy is the alternative to the SDK, not an addition to it. + +Note that **EQL is only for Postgres**. The SDK also encrypts values that never touch a database, and non-Postgres stores like [DynamoDB](/stack/cipherstash/encryption/dynamodb), with no EQL involved. + +## Choosing what each column reveals + +Querying ciphertext works because each value carries index terms derived from its plaintext. Those terms are not the plaintext, and what each one reveals is **bounded and published** rather than incidental: each scheme has a formal leakage profile. + +That turns leakage into a design choice rather than a surprise. You decide, per column, which capabilities to declare, and that decides what an observer of the database could infer: + +| You declare | So you can | An observer could infer | +|---|---|---| +| Nothing | Store and decrypt | Nothing from the ciphertext | +| Equality | `WHERE email = ?`, `GROUP BY`, joins | Which rows share a value | +| Ordering | `ORDER BY`, ranges, `MIN` / `MAX` | The relative order of values | +| Free-text | Token containment | Probabilistic token overlap | + +The engineering is in matching those choices to your threat model. For most columns, knowing that two rows share some unknown value is not an exposure. For a column whose frequency distribution is itself the secret, it might be, and then you encrypt without that capability and filter after decryption. + +So the goal is not to eliminate leakage. It is to choose capabilities whose leakage your threat model already tolerates, and to know exactly what you chose. Declare only what you query on. The per-scheme detail is in [searchable encryption](/concepts/searchable-encryption). + +## Which door + +**You are building.** Start with the [Quickstart](/get-started/quickstart), then [choose your stack](/get-started/choose-your-stack) to find the integration that matches your platform and ORM. + +**You are evaluating.** [Architecture & security](/security) is self-contained for a vendor review, starting with [cryptography](/security/cryptography). [Solutions](/solutions) covers the problems teams bring us. + +**You are deciding whether this is the right tool.** [Concepts](/concepts) explains how it works and where it does not apply. The [comparisons](/concepts/compare) are written to be honest about what CipherStash is not. + +## Performance + +Encryption in use is usually assumed to be slow. It is, if you do it with fully homomorphic encryption. Searchable encryption is a different trade: bounded, published leakage in exchange for the database doing ordinary index work on ciphertext. + +| | | +|---|---| +| Query overhead | Sub-millisecond. The encrypted operators inline into functional indexes, so Postgres does a normal index scan. | +| vs fully homomorphic encryption | [410,000x faster](https://github.com/cipherstash/tfhe-ore-bench) on the per-row primitives a database actually executes. | +| vs AWS KMS | Up to 14x the throughput, because ZeroKMS derives keys in bulk rather than one call per value. | + +The FHE comparison is an open benchmark harness you can run yourself. See [CipherStash vs FHE](/stack/reference/comparisons/fhe) for the methodology, and for the workloads where FHE is genuinely the right tool. + +## What it protects against + +| Threat | What happens | +|---|---| +| Database breach | Ciphertext. The keys were never in the database. | +| Compromised application credentials | Ciphertext, unless the attacker also holds the client key. | +| AI agent exfiltration | The agent reaches the database and decrypts nothing, because its credentials are not the user's keys. | +| Curious insider | Every decryption is a key derivation, and ZeroKMS records who performed it. | + +What it does **not** protect against: an attacker who has compromised your running application process, holding the client key and able to call `decrypt`. Encryption in the application means the application can decrypt. See [cryptography](/security/cryptography) for the full trust model. diff --git a/content/docs/guides/deployment/index.mdx b/content/docs/guides/deployment/index.mdx new file mode 100644 index 0000000..f269e42 --- /dev/null +++ b/content/docs/guides/deployment/index.mdx @@ -0,0 +1,8 @@ +--- +title: Deployment +description: "Deployment documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/guides/deployment/meta.json b/content/docs/guides/deployment/meta.json new file mode 100644 index 0000000..e2ffe90 --- /dev/null +++ b/content/docs/guides/deployment/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Deployment", + "pages": ["..."] +} diff --git a/content/docs/guides/development/index.mdx b/content/docs/guides/development/index.mdx new file mode 100644 index 0000000..3ac286f --- /dev/null +++ b/content/docs/guides/development/index.mdx @@ -0,0 +1,8 @@ +--- +title: Development +description: "Development documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/guides/development/meta.json b/content/docs/guides/development/meta.json new file mode 100644 index 0000000..203f9c9 --- /dev/null +++ b/content/docs/guides/development/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Development", + "pages": ["..."] +} diff --git a/content/docs/guides/index.mdx b/content/docs/guides/index.mdx new file mode 100644 index 0000000..8d6647e --- /dev/null +++ b/content/docs/guides/index.mdx @@ -0,0 +1,9 @@ +--- +title: Guides +description: "Task-oriented guides: development workflow, data migration, deployment, and troubleshooting." +type: guide +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/guides/meta.json b/content/docs/guides/meta.json new file mode 100644 index 0000000..498dd61 --- /dev/null +++ b/content/docs/guides/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Guides", + "icon": "Wrench", + "pages": ["..."] +} diff --git a/content/docs/guides/migration/index.mdx b/content/docs/guides/migration/index.mdx new file mode 100644 index 0000000..cd728e5 --- /dev/null +++ b/content/docs/guides/migration/index.mdx @@ -0,0 +1,8 @@ +--- +title: Data migration +description: "Data migration documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/guides/migration/meta.json b/content/docs/guides/migration/meta.json new file mode 100644 index 0000000..941c504 --- /dev/null +++ b/content/docs/guides/migration/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Data migration", + "pages": ["..."] +} diff --git a/content/docs/guides/troubleshooting/index.mdx b/content/docs/guides/troubleshooting/index.mdx new file mode 100644 index 0000000..d049ef4 --- /dev/null +++ b/content/docs/guides/troubleshooting/index.mdx @@ -0,0 +1,8 @@ +--- +title: Troubleshooting +description: "Troubleshooting documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/guides/troubleshooting/meta.json b/content/docs/guides/troubleshooting/meta.json new file mode 100644 index 0000000..82c3c83 --- /dev/null +++ b/content/docs/guides/troubleshooting/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Troubleshooting", + "pages": ["..."] +} diff --git a/content/docs/guides/troubleshooting/query-performance.mdx b/content/docs/guides/troubleshooting/query-performance.mdx new file mode 100644 index 0000000..a128a95 --- /dev/null +++ b/content/docs/guides/troubleshooting/query-performance.mdx @@ -0,0 +1,9 @@ +--- +title: Query performance +description: "Diagnosing and fixing slow queries on encrypted columns." +type: guide +--- + +This page is being built as part of the docs V2 overhaul ([CIP-3351](https://linear.app/cipherstash/issue/CIP-3351)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, the EQL reference covers the essentials: [Indexes](/reference/eql/indexes) walks through `EXPLAIN` verification and large-table index builds, and [Sorting](/reference/eql/sorting) covers extractor-form sort keys. diff --git a/content/docs/index.mdx b/content/docs/index.mdx new file mode 100644 index 0000000..8d82072 --- /dev/null +++ b/content/docs/index.mdx @@ -0,0 +1,37 @@ +--- +title: CipherStash Docs +seoTitle: "CipherStash Docs: searchable encryption for Postgres" +description: "Searchable field-level encryption, identity-bound keys, and cryptographic audit trails, built into your existing Postgres stack." +type: concept +audience: [developer, cto, ciso] +--- + +CipherStash encrypts your data at the field level. Every value gets its own +key, and the ciphertext stays queryable in Postgres. A breach, a compromised +agent, a curious insider: they all see ciphertext with no key. + +## Start here + + + + + + + + +## Browse the docs + + + + + + + + + + +## AI-ready documentation + +Every page is available as clean markdown: append `.mdx` to any page URL, or +fetch the whole corpus via [llms.txt](/llms.txt) and +[llms-full.txt](/llms-full.txt). diff --git a/content/docs/integrations/index.mdx b/content/docs/integrations/index.mdx new file mode 100644 index 0000000..6148388 --- /dev/null +++ b/content/docs/integrations/index.mdx @@ -0,0 +1,9 @@ +--- +title: Integrations +description: "Set up CipherStash with your platform, ORM, framework, auth provider, and runtime." +type: tutorial +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/integrations/meta.json b/content/docs/integrations/meta.json new file mode 100644 index 0000000..13995d5 --- /dev/null +++ b/content/docs/integrations/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Integrations", + "icon": "Blocks", + "pages": ["..."] +} diff --git a/content/docs/integrations/supabase/index.mdx b/content/docs/integrations/supabase/index.mdx new file mode 100644 index 0000000..5ce53db --- /dev/null +++ b/content/docs/integrations/supabase/index.mdx @@ -0,0 +1,20 @@ +--- +title: Supabase +description: "Searchable, application-level encryption for your Supabase project β€” encrypt in your app, query in Postgres." +type: tutorial +components: [encryption, eql, platform] +audience: [developer] +integration: + category: platform + setup: dashboard-required + pairsWith: [drizzle, prisma-next, clerk, nextjs] +--- + +CipherStash adds application-level encryption to your Supabase project: +sensitive fields are encrypted in your application before they reach Postgres, +and stay queryable with the same Supabase.js calls you already use. + +This page is being rebuilt as part of the docs V2 overhaul +([CIP-3328](https://linear.app/cipherstash/issue/CIP-3328)). Until it lands, +the current Supabase integration guide lives at +[CipherStash + Supabase](/stack/cipherstash/supabase). diff --git a/content/docs/integrations/supabase/meta.json b/content/docs/integrations/supabase/meta.json new file mode 100644 index 0000000..b4690bf --- /dev/null +++ b/content/docs/integrations/supabase/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Supabase", + "icon": "Supabase", + "pages": ["..."] +} diff --git a/content/docs/meta.json b/content/docs/meta.json new file mode 100644 index 0000000..5d7ad44 --- /dev/null +++ b/content/docs/meta.json @@ -0,0 +1,12 @@ +{ + "pages": [ + "index", + "get-started", + "integrations", + "concepts", + "guides", + "security", + "solutions", + "reference" + ] +} diff --git a/content/docs/reference/agent-skills.mdx b/content/docs/reference/agent-skills.mdx new file mode 100644 index 0000000..03ea3a3 --- /dev/null +++ b/content/docs/reference/agent-skills.mdx @@ -0,0 +1,111 @@ +--- +title: Agent skills +description: "Install CipherStash agent skills to give your AI coding assistant accurate knowledge of encryption setup, schema building, and integrations." +type: reference +components: [encryption, cli] +--- + +CipherStash publishes a set of [agent skills](https://skills.sh/) that give AI coding assistants deep knowledge of the Stack SDK, CLI, and integrations. When installed, your agent can generate encryption schemas, write integration code, and guide you through database setup without hallucinating API surfaces. + +Skills work with any AI coding tool that supports the skills protocol, including Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, Gemini, AMP, Goose, Roo, and Trae. + +## Install skills + +Skills are installed per project. Run this in your project root: + +```bash cta cta-type="install" example-id="install-agent-skills" +npx skills add cipherstash/stack +``` + +This installs all six CipherStash skills. Your agent activates the relevant skill based on what you are working on. + +### Install via the wizard + +`@cipherstash/wizard` offers to copy integration-appropriate skills into `./.claude/skills/` after its post-agent steps: + +| Integration | Skills installed | +|---|---| +| Drizzle | `stash-encryption`, `stash-drizzle`, `stash-cli` | +| Supabase | `stash-encryption`, `stash-supabase`, `stash-cli` | +| Prisma or generic | `stash-encryption`, `stash-cli` | + +## Available skills + +### stash-encryption + +Core field-level encryption with `@cipherstash/stack`. The foundational skill, covering the full encryption API. + +**Covers:** schema definition with `encryptedTable` and `encryptedColumn`; single and bulk encrypt/decrypt; model operations (`encryptModel`, `decryptModel`, `bulkEncryptModels`, `bulkDecryptModels`); searchable encryption (equality, free-text search, range queries, encrypted JSONB); identity-aware encryption with `LockContext`; multi-tenant isolation with keysets; error handling with the `Result` pattern; migration from `@cipherstash/protect`. + +**Activates when:** you are defining encrypted schemas, writing encrypt/decrypt logic, or working with the `@cipherstash/stack` package. + +**Related docs:** [Stack SDK](/reference/stack) + +### stash-cli + +The CipherStash CLI (`stash`) for database setup, schema management, and project initialization. + +**Covers:** `stash.config.ts` configuration; the setup lifecycle (`init`, `plan`, `impl`, `status`); database commands (`db install`, `db upgrade`, `db push`, `db validate`, `db status`, `db test-connection`); `schema build`; `auth login`; the programmatic API (`EQLInstaller`, `loadStashConfig`, `defineConfig`, `loadBundledEqlSql`); Drizzle migration mode (`--drizzle`); Supabase-compatible installs (`--supabase`); automatic Supabase and Drizzle detection; automatic OPE fallback on managed databases. + +**Activates when:** you are working with `stash.config.ts`, running CLI commands, or setting up EQL in a database. + +**Related docs:** [CLI reference](/reference/cli) + +### stash-drizzle + +Drizzle ORM integration using `@cipherstash/stack/drizzle`. + +**Covers:** the `encryptedType()` column type; `extractEncryptionSchema()`; `createEncryptionOperators()`; query operators (`eq`, `ne`, `like`, `ilike`, `gt`, `gte`, `lt`, `lte`, `between`, `inArray`, `asc`, `desc`); encrypted JSONB operators (`jsonbPathExists`, `jsonbPathQueryFirst`, `jsonbGet`); batched `and()` / `or()` conditions; EQL migration generation; non-encrypted column fallback; Express, Hono, and Next.js examples. + +**Activates when:** you are using Drizzle ORM with encrypted columns, or importing from `@cipherstash/stack/drizzle`. + +**Related docs:** [Drizzle integration](/stack/cipherstash/encryption/drizzle) + +### stash-supabase + +Supabase integration using `@cipherstash/stack/supabase`. + +**Covers:** the `encryptedSupabase()` wrapper; transparent encryption on `insert`, `update`, and `upsert`; transparent decryption on `select`, `single`, and `maybeSingle`; encrypted query filters (`eq`, `neq`, `like`, `ilike`, `gt`, `gte`, `lt`, `lte`, `in`, `match`, `or`, `not`, `filter`); identity-aware encryption with `.withLockContext()`; audit logging with `.audit()`; response types and error handling; Supabase-specific database setup. + +**Activates when:** you are using Supabase with encrypted columns, or importing from `@cipherstash/stack/supabase`. + +**Related docs:** [Supabase integration](/integrations/supabase) + +### stash-dynamodb + +Amazon DynamoDB integration using `@cipherstash/stack/dynamodb`. + +**Covers:** the `encryptedDynamoDB()` helper; attribute naming conventions (`__source` and `__hmac` suffixes); single and bulk encrypt/decrypt model operations; querying encrypted partition keys, sort keys, and GSI keys via HMAC attributes; nested object encryption with `encryptedField`; audit logging; table design patterns; examples with `PutCommand`, `GetCommand`, `QueryCommand`, and `BatchWriteCommand`. + +**Activates when:** you are using DynamoDB with encrypted attributes, or importing from `@cipherstash/stack/dynamodb`. + +**Related docs:** [DynamoDB integration](/stack/cipherstash/encryption/dynamodb) + +### stash-secrets + +Encrypted secrets management with `@cipherstash/stack`. + +**Covers:** the `Secrets` class API (`set`, `get`, `getMany`, `list`, `delete`); environment-based isolation with per-environment keysets; bulk retrieval with `getMany` (2 to 100 secrets per call); error types (`ApiError`, `NetworkError`, `ClientError`, `EncryptionError`, `DecryptionError`); configuration via `CS_*` environment variables or explicit config; patterns for loading secrets at startup. + +**Activates when:** you are storing or retrieving secrets, or working with the `Secrets` class from `@cipherstash/stack/secrets`. + +**Related docs:** [Secrets](https://cipherstash.com/stack/secrets) + +## How skills work + +When you ask your agent to help with a CipherStash task, it checks which skills are installed and activates the relevant one. The skill supplies the agent with the complete API surface (method signatures, types, return values), code examples matching the current SDK version, integration-specific patterns, and known limitations. + +This means your agent writes accurate CipherStash code on the first try, rather than guessing at API shapes or generating outdated patterns. + +## Typical workflow + +1. **Initialize your project.** Ask your agent to set up CipherStash and it runs `stash init`, which authenticates you, installs EQL, scaffolds the encryption client, and writes `.cipherstash/context.json`. +2. **Draft a plan.** `stash plan` produces `.cipherstash/plan.md`, listing the tables and columns to encrypt. Review it before proceeding. +3. **Execute the plan.** `stash impl` reads the plan and wires up `encryptModel` and `decryptModel` in your codebase. +4. **Handle edge cases.** The agent knows about searchable encryption constraints, operator family limitations, identity-aware encryption, and multi-tenant keysets. + +## Requirements + +- An AI coding tool that supports the [skills protocol](https://skills.sh/) +- Node.js 18 or later +- A CipherStash account ([sign up](https://dashboard.cipherstash.com/sign-up)) diff --git a/content/docs/reference/auth/index.mdx b/content/docs/reference/auth/index.mdx new file mode 100644 index 0000000..9bea074 --- /dev/null +++ b/content/docs/reference/auth/index.mdx @@ -0,0 +1,8 @@ +--- +title: Auth +description: "Auth documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/reference/auth/meta.json b/content/docs/reference/auth/meta.json new file mode 100644 index 0000000..d801d12 --- /dev/null +++ b/content/docs/reference/auth/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Auth", + "pages": ["..."] +} diff --git a/content/docs/reference/cli/auth.mdx b/content/docs/reference/cli/auth.mdx new file mode 100644 index 0000000..2ba2a00 --- /dev/null +++ b/content/docs/reference/cli/auth.mdx @@ -0,0 +1,88 @@ +--- +title: stash auth +description: "Reference for the `stash auth` commands." +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash auth` command group. + +### `auth login` + +Authenticate with CipherStash + +```bash +npx stash auth login [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--region ` | Region to authenticate against (e.g. us-east-1). Skips the interactive region picker. (env: `STASH_REGION`) | +| `--json` | Emit newline-delimited JSON events instead of prose. The first event (authorization_required) carries the device verification URL for a human to open. Implies no prompt and no browser auto-open. | +| `--no-open` | Don't auto-open the verification URL in a browser (already implied by --json). | +| `--supabase` | Track Supabase as the referrer. | +| `--drizzle` | Track Drizzle as the referrer. | + + +#### Examples + +```bash +npx stash auth login +npx stash auth login --region us-east-1 +npx stash auth login --supabase +npx stash auth login --region us-east-1 --json +``` + +### `auth regions` + +List the regions you can authenticate against + +```bash +npx stash auth regions [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--json` | Emit machine-readable [\{ slug, label \}] instead of a text list. | + + +#### Examples + +```bash +npx stash auth regions +npx stash auth regions --json +``` + +## How authentication works + +`stash auth login` runs the OAuth 2.0 **device authorization flow**: + +1. You pick a **region** for your CipherStash workspace. +2. The CLI opens your browser to a verification URL (and prints it, so it also + works over SSH or in a headless/agent environment) where you approve the + request. +3. Meanwhile the CLI polls CipherStash until you approve, then receives a + short-lived access token (it reports the token's expiry). +4. Your device is **bound to the workspace's default keyset**, so later commands + (`stash eql install`, `stash db push`, …) authenticate without a fresh login. + + +Login is device- and workspace-scoped. Authenticating from a new machine, or for a different workspace, re-runs the device flow. + + +{/* TODO(verify with product): profiles, multiple workspaces, and switching +between them (where they're stored and how they're selected) belong here, or +in a linked CLI concept page. The CLI currently exposes only `auth login`; +confirm the profile / workspace-switching surface before documenting it. */} diff --git a/content/docs/reference/cli/db.mdx b/content/docs/reference/cli/db.mdx new file mode 100644 index 0000000..e0c26b2 --- /dev/null +++ b/content/docs/reference/cli/db.mdx @@ -0,0 +1,86 @@ +--- +title: stash db +description: "Reference for the `stash db` commands." +type: reference +components: [cli, eql] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash db` command group. + +### `db push` + +Push encryption schema (writes pending if active config already exists) + +```bash +npx stash db push [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--dry-run` | Show what would happen without making changes. | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | + + +### `db activate` + +Promote pending β†’ active without renames (use after additive db push) + +```bash +npx stash db activate [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | + + +### `db validate` + +Validate encryption schema + +```bash +npx stash db validate [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--supabase` | Use Supabase-compatible mode. | +| `--exclude-operator-family` | Skip operator family creation. | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | + + +### `db migrate` + +Run pending encrypt config migrations (not yet implemented) + +```bash +npx stash db migrate +``` + +### `db test-connection` + +Test database connectivity + +```bash +npx stash db test-connection [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | diff --git a/content/docs/reference/cli/doctor.mdx b/content/docs/reference/cli/doctor.mdx new file mode 100644 index 0000000..1c6efb8 --- /dev/null +++ b/content/docs/reference/cli/doctor.mdx @@ -0,0 +1,20 @@ +--- +title: stash doctor +description: "Diagnose install problems (native binaries, runtime)" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Diagnose install problems (native binaries, runtime) + +```bash +npx stash doctor +``` diff --git a/content/docs/reference/cli/encrypt.mdx b/content/docs/reference/cli/encrypt.mdx new file mode 100644 index 0000000..9c03ae8 --- /dev/null +++ b/content/docs/reference/cli/encrypt.mdx @@ -0,0 +1,88 @@ +--- +title: stash encrypt +description: "Reference for the `stash encrypt` commands." +type: reference +components: [cli, eql] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash encrypt` command group. + +### `encrypt status` + +Show per-column migration status (phase, progress, drift) + +```bash +npx stash encrypt status +``` + +### `encrypt plan` + +Diff intent (.cipherstash/migrations.json) vs observed state + +```bash +npx stash encrypt plan +``` + +### `encrypt backfill` + +Resumably encrypt plaintext into the encrypted column + +```bash +npx stash encrypt backfill [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--table ` | Target table. | +| `--column ` | Target column. | +| `--pk-column ` | Primary-key column used to page through rows. | +| `--chunk-size ` | Rows encrypted per batch. | +| `--encrypted-column ` | Destination encrypted column. | +| `--schema-column-key ` | Schema key identifying the column config. | +| `--confirm-dual-writes-deployed` | Assert the app is dual-writing before backfilling (safety gate). | +| `--force` | Proceed past non-fatal safety checks. | + + +### `encrypt cutover` + +Rename swap encrypted β†’ primary column + +```bash +npx stash encrypt cutover [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--table ` | Target table. | +| `--column ` | Target column. | +| `--proxy-url ` | Proxy URL to verify against. | +| `--migrations-dir ` | Directory to write the rename migration into. | + + +### `encrypt drop` + +Generate a migration to drop the plaintext column + +```bash +npx stash encrypt drop [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--table ` | Target table. | +| `--column ` | Target column. | +| `--migrations-dir ` | Directory to write the drop migration into. | diff --git a/content/docs/reference/cli/env.mdx b/content/docs/reference/cli/env.mdx new file mode 100644 index 0000000..fe277a9 --- /dev/null +++ b/content/docs/reference/cli/env.mdx @@ -0,0 +1,26 @@ +--- +title: stash env +description: "(experimental) Print production env vars for deployment" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +(experimental) Print production env vars for deployment + +```bash +npx stash env [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--write` | Write the vars to a file instead of printing them. | diff --git a/content/docs/reference/cli/eql.mdx b/content/docs/reference/cli/eql.mdx new file mode 100644 index 0000000..63bf8be --- /dev/null +++ b/content/docs/reference/cli/eql.mdx @@ -0,0 +1,77 @@ +--- +title: stash eql +description: "Reference for the `stash eql` commands." +type: reference +components: [cli, eql] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash eql` command group. + +### `eql install` + +Scaffold stash.config.ts (if missing) and install EQL extensions + +```bash +npx stash eql install [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--force` | Reinstall / overwrite even if already installed. | +| `--dry-run` | Show what would happen without making changes. | +| `--supabase` | Use Supabase-compatible mode (auto-detected from DATABASE_URL). | +| `--drizzle` | Generate a Drizzle migration instead of direct install (auto-detected from project). | +| `--migration` | Write a Supabase migration file instead of running SQL directly (requires --supabase). | +| `--direct` | Run the SQL directly against the database (requires --supabase; mutually exclusive with --migration). | +| `--migrations-dir ` | Override the Supabase migrations directory (requires --supabase). (default: `supabase/migrations`) | +| `--exclude-operator-family` | Skip operator family creation. | +| `--eql-version <2\|3>` | EQL generation to target. v3 is the native eql_v3.* domain schema (direct install only for now). (default: `2`) | +| `--latest` | Fetch the latest EQL from GitHub (v2 only). | +| `--name ` | With --drizzle: name for the generated migration (defaults to a scaffold name). | +| `--out ` | With --drizzle: directory to write the generated migration into. | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | + + +### `eql upgrade` + +Upgrade EQL extensions to the latest version + +```bash +npx stash eql upgrade [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--dry-run` | Show what would happen without making changes. | +| `--supabase` | Use Supabase-compatible mode. | +| `--exclude-operator-family` | Skip operator family creation. | +| `--eql-version <2\|3>` | EQL generation to target. (default: `2`) | +| `--latest` | Fetch the latest EQL from GitHub (v2 only). | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | + + +### `eql status` + +Show EQL installation status + +```bash +npx stash eql status [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | diff --git a/content/docs/reference/cli/impl.mdx b/content/docs/reference/cli/impl.mdx new file mode 100644 index 0000000..b3ce114 --- /dev/null +++ b/content/docs/reference/cli/impl.mdx @@ -0,0 +1,36 @@ +--- +title: stash impl +description: "Execute the plan with a local agent" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Execute the plan with a local agent + +```bash +npx stash impl [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--continue-without-plan` | Skip planning and go straight to implementation (interactively confirms before proceeding). | +| `--target ` | Skip the agent-target picker and hand off directly to one of claude-code \| codex \| agents-md \| wizard. Safe in non-TTY contexts. | + + +## Examples + +```bash +npx stash impl +npx stash impl --continue-without-plan +npx stash impl --target claude-code +``` diff --git a/content/docs/reference/cli/index.mdx b/content/docs/reference/cli/index.mdx new file mode 100644 index 0000000..88764db --- /dev/null +++ b/content/docs/reference/cli/index.mdx @@ -0,0 +1,75 @@ +--- +title: CLI +description: "Command reference for the stash CLI, generated from v0.17.0." +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash` CLI. Install with `npx stash@0.17.0`. Every command accepts `--help` and `--version`. + +### Setup & workflow + +| Command | Description | +| --- | --- | +| [`init`](/reference/cli/init) | Initialize CipherStash for your project | +| [`plan`](/reference/cli/plan) | Draft a reviewable encryption plan at .cipherstash/plan.md | +| [`impl`](/reference/cli/impl) | Execute the plan with a local agent | +| [`status`](/reference/cli/status) | Displays implementation status | +| [`wizard`](/reference/cli/wizard) | AI-guided encryption setup (reads your codebase) | +| [`doctor`](/reference/cli/doctor) | Diagnose install problems (native binaries, runtime) | +| [`manifest`](/reference/cli/manifest) | Print the structured, versioned command surface | + +### Auth + +| Command | Description | +| --- | --- | +| [`auth login`](/reference/cli/auth#auth-login) | Authenticate with CipherStash | +| [`auth regions`](/reference/cli/auth#auth-regions) | List the regions you can authenticate against | + +### EQL + +| Command | Description | +| --- | --- | +| [`eql install`](/reference/cli/eql#eql-install) | Scaffold stash.config.ts (if missing) and install EQL extensions | +| [`eql upgrade`](/reference/cli/eql#eql-upgrade) | Upgrade EQL extensions to the latest version | +| [`eql status`](/reference/cli/eql#eql-status) | Show EQL installation status | + +### Database + +| Command | Description | +| --- | --- | +| [`db push`](/reference/cli/db#db-push) | Push encryption schema (writes pending if active config already exists) | +| [`db activate`](/reference/cli/db#db-activate) | Promote pending β†’ active without renames (use after additive db push) | +| [`db validate`](/reference/cli/db#db-validate) | Validate encryption schema | +| [`db migrate`](/reference/cli/db#db-migrate) | Run pending encrypt config migrations (not yet implemented) | +| [`db test-connection`](/reference/cli/db#db-test-connection) | Test database connectivity | + +### Schema + +| Command | Description | +| --- | --- | +| [`schema build`](/reference/cli/schema#schema-build) | Build an encryption schema from your database | + +### Encrypt + +| Command | Description | +| --- | --- | +| [`encrypt status`](/reference/cli/encrypt#encrypt-status) | Show per-column migration status (phase, progress, drift) | +| [`encrypt plan`](/reference/cli/encrypt#encrypt-plan) | Diff intent (.cipherstash/migrations.json) vs observed state | +| [`encrypt backfill`](/reference/cli/encrypt#encrypt-backfill) | Resumably encrypt plaintext into the encrypted column | +| [`encrypt cutover`](/reference/cli/encrypt#encrypt-cutover) | Rename swap encrypted β†’ primary column | +| [`encrypt drop`](/reference/cli/encrypt#encrypt-drop) | Generate a migration to drop the plaintext column | + +### Experimental + +| Command | Description | +| --- | --- | +| [`env`](/reference/cli/env) | (experimental) Print production env vars for deployment | diff --git a/content/docs/reference/cli/init.mdx b/content/docs/reference/cli/init.mdx new file mode 100644 index 0000000..518544b --- /dev/null +++ b/content/docs/reference/cli/init.mdx @@ -0,0 +1,41 @@ +--- +title: stash init +description: "Initialize CipherStash for your project" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Initialize CipherStash for your project + +```bash +npx stash init [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--supabase` | Use Supabase-specific setup flow. | +| `--drizzle` | Use Drizzle-specific setup flow. | +| `--prisma-next` | Use Prisma Next-specific setup flow (EQL bundle installed via prisma-next migration apply). | +| `--proxy` | Query encrypted data via CipherStash Proxy. | +| `--no-proxy` | Query encrypted data directly via the SDK. (default: `true`) | +| `--region ` | Region to authenticate against (e.g. us-east-1). Skips the interactive region picker. Required for non-interactive init when not already logged in. (env: `STASH_REGION`) | + + +## Examples + +```bash +npx stash init +npx stash init --supabase +npx stash init --prisma-next +npx stash init --region us-east-1 +``` diff --git a/content/docs/reference/cli/manifest.mdx b/content/docs/reference/cli/manifest.mdx new file mode 100644 index 0000000..4c7578d --- /dev/null +++ b/content/docs/reference/cli/manifest.mdx @@ -0,0 +1,34 @@ +--- +title: stash manifest +description: "Print the structured, versioned command surface" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Print the structured, versioned command surface + +```bash +npx stash manifest [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--json` | Emit the structured JSON manifest instead of a text list. | + + +## Examples + +```bash +npx stash manifest --json +npx stash manifest +``` diff --git a/content/docs/reference/cli/meta.json b/content/docs/reference/cli/meta.json new file mode 100644 index 0000000..6b90890 --- /dev/null +++ b/content/docs/reference/cli/meta.json @@ -0,0 +1,25 @@ +{ + "title": "CLI", + "pages": [ + "---Setup & workflow---", + "init", + "plan", + "impl", + "status", + "wizard", + "doctor", + "manifest", + "---Auth---", + "auth", + "---EQL---", + "eql", + "---Database---", + "db", + "---Schema---", + "schema", + "---Encrypt---", + "encrypt", + "---Experimental---", + "env" + ] +} diff --git a/content/docs/reference/cli/plan.mdx b/content/docs/reference/cli/plan.mdx new file mode 100644 index 0000000..4904f7a --- /dev/null +++ b/content/docs/reference/cli/plan.mdx @@ -0,0 +1,35 @@ +--- +title: stash plan +description: "Draft a reviewable encryption plan at .cipherstash/plan.md" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Draft a reviewable encryption plan at .cipherstash/plan.md + +```bash +npx stash plan [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--complete-rollout` | Plan the entire encryption lifecycle (schema-add through drop) in one document. Skips the production-deploy gate; only safe when this database is not backing a deployed application. | +| `--target ` | Skip the agent-target picker and hand off directly to one of claude-code \| codex \| agents-md \| wizard. Safe in non-TTY contexts. | + + +## Examples + +```bash +npx stash plan +npx stash plan --target claude-code +``` diff --git a/content/docs/reference/cli/schema.mdx b/content/docs/reference/cli/schema.mdx new file mode 100644 index 0000000..9b5e360 --- /dev/null +++ b/content/docs/reference/cli/schema.mdx @@ -0,0 +1,31 @@ +--- +title: stash schema +description: "Reference for the `stash schema` commands." +type: reference +components: [cli, eql] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +The `stash schema` command group. + +### `schema build` + +Build an encryption schema from your database + +```bash +npx stash schema build [flags] +``` + +#### Flags + +| Flag | Description | +| --- | --- | +| `--supabase` | Use Supabase-compatible mode. | +| `--database-url ` | Override DATABASE_URL for this run only β€” never written to disk. (env: `DATABASE_URL`) | diff --git a/content/docs/reference/cli/status.mdx b/content/docs/reference/cli/status.mdx new file mode 100644 index 0000000..ba033d7 --- /dev/null +++ b/content/docs/reference/cli/status.mdx @@ -0,0 +1,28 @@ +--- +title: stash status +description: "Displays implementation status" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +Displays implementation status + +```bash +npx stash status [flags] +``` + +### Flags + +| Flag | Description | +| --- | --- | +| `--quest` | Force the quest-log output (emoji + progress bars) even in non-TTY contexts. | +| `--plain` | Force the plain-text output even in TTY contexts. | +| `--json` | Emit a structured JSON document instead. | diff --git a/content/docs/reference/cli/wizard.mdx b/content/docs/reference/cli/wizard.mdx new file mode 100644 index 0000000..05678ed --- /dev/null +++ b/content/docs/reference/cli/wizard.mdx @@ -0,0 +1,20 @@ +--- +title: stash wizard +description: "AI-guided encryption setup (reads your codebase)" +type: reference +components: [cli] +verifiedAgainst: + cli: "0.17.0" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from `stash manifest --json` (v0.17.0). Re-run `bun run generate-docs:cli` to refresh from the latest published CLI. */} + + +Generated from **`stash` v0.17.0** via `npx stash@0.17.0 manifest --json`. Run `npx stash@0.17.0 --help` to see the live command surface. + + +AI-guided encryption setup (reads your codebase) + +```bash +npx stash wizard +``` diff --git a/content/docs/reference/eql/booleans.mdx b/content/docs/reference/eql/booleans.mdx new file mode 100644 index 0000000..294a846 --- /dev/null +++ b/content/docs/reference/eql/booleans.mdx @@ -0,0 +1,64 @@ +--- +title: Booleans +description: "Encrypted booleans are storage-only by design: public.boolean stores and decrypts, carries no index terms, and blocks every comparison." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Every scalar type has a storage-only variant β€” for `bool` it's the only one. EQL ships `public.boolean` and nothing else: there is no `bool_eq` and no `bool_ord`. An encrypted boolean column can be stored, decrypted, and null-checked; it cannot be filtered, sorted, grouped, or joined on. + +## Why there are no query variants + +A two-value column has too little cardinality for any searchable index to be safe. An equality term over `true` / `false` would partition the table into two visible buckets β€” leaking the value distribution (and, with any outside knowledge, the values themselves) outright. Rather than ship an index term that can't keep its promise, EQL omits the query variants entirely. See [Searchable encryption](/concepts/searchable-encryption) for the general analysis of what index terms reveal. + +## What works, what raises + +`public.boolean` follows the bare-variant contract described in [Core concepts](/reference/eql/core-concepts#variants-declare-capability): it carries no index terms, so `IS NULL` / `IS NOT NULL` are the only predicates that work. Every comparison operator routes to a blocker and raises β€” the [fail-loud behavior](/reference/eql/core-concepts#unsupported-operations-fail-loudly) shared by all encrypted variants: + +```sql +-- ❌ Raises: operator = is not supported for public.boolean +SELECT * FROM users WHERE is_active = $1::public.boolean; + +-- βœ… Works: NULL columns are not encrypted +SELECT * FROM users WHERE is_active IS NOT NULL; +``` + +## Filter client-side + +Query on other columns, decrypt the boolean in your application, and filter there: + +```sql +CREATE TABLE users ( + id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + email public.text_eq, -- exact lookup + created_at public.timestamp_ord, -- range queries, ORDER BY + is_active public.boolean -- storage only (by design) +); +``` + +```sql +-- Narrow the result set with the columns that do carry index terms… +SELECT id, email, is_active FROM users +WHERE created_at >= $1::public.timestamp_ord; +-- …then decrypt is_active in the client and filter on the plaintext. +``` + +The [Stack SDK](/reference/stack) and [CipherStash Proxy](/reference/proxy) decrypt the payload back to a plain boolean on read, so the client-side filter is an ordinary `if`. + +If a boolean genuinely needs to be a server-side predicate, that is a data-modelling signal: consider whether the flag is actually sensitive. A non-sensitive flag can stay a plain PostgreSQL `boolean` column alongside your encrypted columns. + +## Storing without querying + +`bool` is the forced case of a pattern available to every scalar type: the bare variant `public.` (for example `public.integer`, `public.text`, `public.timestamp`) is storage-and-decryption only. It carries no index terms, and every comparison operator raises β€” use it for columns you only ever store and decrypt, so the database holds no searchable material for them at all. + +For every type other than `bool`, storage-only is a choice you can walk back. If you later need to query, retype the column as a query variant β€” or, if the payloads already carry the needed term (the client decides which terms travel in the payload), cast at the call site: + +```sql +SELECT * FROM readings WHERE value::public.integer_ord > $1::public.integer_ord; +``` + +The variant families and what each one enables are covered in [Core concepts](/reference/eql/core-concepts); the per-type specifics live in [Numbers](/reference/eql/numbers), [Dates & times](/reference/eql/dates-and-times), and [Text](/reference/eql/text). diff --git a/content/docs/reference/eql/core-concepts.mdx b/content/docs/reference/eql/core-concepts.mdx new file mode 100644 index 0000000..1445ac8 --- /dev/null +++ b/content/docs/reference/eql/core-concepts.mdx @@ -0,0 +1,178 @@ +--- +title: Core concepts +description: "The model behind every EQL page: domain variants that declare capability, the encrypted payload envelope, the typed-operand rule, and fail-loud blockers." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Everything in the EQL reference builds on four ideas: columns are typed as **domain variants** that declare what they can do, every value is a **`jsonb` payload** carrying encrypted index terms, **operands must be typed** for the encrypted operators to resolve, and anything a column can't do **fails loudly** instead of returning wrong rows. This page is the canonical home for all four β€” the per-type and per-query pages link back here rather than restating them. + +## Variants declare capability + +EQL ships its searchable-encryption surface as PostgreSQL **domains in the `public` schema**, all backed by `jsonb` (the functions behind them live in `eql_v3` β€” [The three schemas](#the-three-schemas) explains the split). Each scalar type generates a *family* of domain variants, and the variant you type a column as fixes its query capability. Each domain carries a `CHECK` constraint that validates the encrypted payload on insert, so a malformed or wrong-version value is rejected at write time rather than surfacing at query time. + +There is no database-side configuration table. Earlier EQL versions tracked encryption config in the database (`config_add_table`, `config_add_column`, and friends) β€” those are gone in v3. The searchable surface of a column is fixed by the domain variant you type it as, and which index terms travel in a value's payload is decided by the encryption client (the [Stack SDK](/reference/stack) or [CipherStash Proxy](/reference/proxy)). The domain makes the matching operators resolve; the term in the payload is what makes them answer. + +For any scalar type ``, the family looks like this: + +| Domain variant | Capability | +| --- | --- | +| `public.` | Storage and decryption only. | +| `public._eq` | Equality: `=`, `<>`, `IN`, `GROUP BY`, `DISTINCT`, equijoins. | +| `public._ord` | Comparisons (`<` … `>=`), `BETWEEN`, `ORDER BY`, `MIN` / `MAX` β€” plus equality. | +| `public._ord_ore` | As `_ord`, with the ORE mechanism pinned β€” see [SEM specifiers](#sem-specifiers). | +| `public.text_match` (text only) | Free-text token containment: `@>` / `<@`. | +| `public.text_search` (text only) | Equality + ordering + token containment. | + +Two things worth calling out: + +- **The bare variant blocks everything.** `public.` carries no index term. Querying it with any comparison operator raises an "operator not supported" exception. Use it for columns you only ever store and decrypt β€” [Booleans](/reference/eql/booleans) covers this pattern in full. +- **Which index term backs each capability** is an implementation detail of the payload β€” covered in [Anatomy of an encrypted value](#anatomy-of-an-encrypted-value) below. + +### SEM specifiers + +A trailing mechanism suffix β€” the `_ore` in `_ord_ore` β€” is a **SEM specifier**: it pins *which* searchable-encryption mechanism implements the capability, rather than just declaring the capability itself. + +- `public._ord` declares *orderable* and leaves the mechanism to EQL's default. +- `public._ord_ore` declares *orderable via ORE* (order-revealing encryption), explicitly. Its term is `ob`, extracted with `eql_v3.ord_term`. +- `public._ord_ope` declares *orderable via OPE* (order-preserving encryption), explicitly. Its term is `op`, extracted with `eql_v3.ord_ope_term`. + +The two mechanisms differ in what they demand of the database, not in the capability they declare. An OPE term is a `bytea` domain that orders under Postgres's **default** btree operator class, so a functional index on it works anywhere you can `CREATE INDEX`. An ORE term needs a custom operator class and family, which managed platforms frequently block. + + +The mechanism behind the unpinned `public._ord` is **changing to OPE** before EQL 3.0.0 stabilizes, so that ordering works on every platform out of the box. ORE remains available, pinned explicitly as `_ord_ore`, on databases that permit operator class and family creation. Pin a specifier if you need to freeze a column's mechanism; leave it off to track the default. + + +Each type page lists its available specifiers under an "SEM specifiers" heading. + +Declaring a table is just typing each column as the variant it needs: + +```sql +CREATE TABLE users ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + email public.text_eq, -- equality only + salary public.integer_ord, -- equality + range + ORDER BY + created_at public.timestamp_ord +); +``` + +Every scalar type β€” `int2`, `int4`, `int8`, `numeric`, `float4`, `float8`, `date`, `timestamp`, `text`, and `bool` in EQL 3.0.0 β€” ships some subset of this family. The per-category pages list exactly which variants each type has and how to choose between them: [Numbers](/reference/eql/numbers), [Dates & times](/reference/eql/dates-and-times), [Text](/reference/eql/text), and [Booleans](/reference/eql/booleans). Encrypted JSON documents use a separate domain, `public.json`, with its own operator surface β€” see [JSON](/reference/eql/json). + +## The three schemas + +EQL spreads its surface across three PostgreSQL schemas, and the split is what makes EQL **upgradable in place**: + +| Schema | Holds | Do you call it? | +| --- | --- | --- | +| `public` | The encrypted **domain types** β€” every `public.` variant you type a column as. | Referenced in your table DDL. | +| `eql_v3` | All **user-callable functions and operators** β€” the searchable-encryption API (`eql_v3.eq_term`, `eql_v3.jsonb_path_query`, the encrypted `=` / `<` / `@>` operators, `eql_v3.version()`). | Yes β€” this is the API. | +| `eql_v3_internal` | The **implementation functions** the domains and operators are built from. | No β€” never call these directly. | + +**Why the types live in `public`.** Your columns are typed as `public.integer_ord`, `public.text_eq`, and so on β€” never `eql_v3.*`. Keeping the types in the unversioned `public` schema means an EQL upgrade never rewrites your table definitions: the logic ships in a *versioned* schema (`eql_v3` today, a future `eql_v4` alongside it tomorrow) while the type names your schema depends on stay put. `eql_v2` was removed wholesale in 3.0.0 without any `public.*` type changing. + +**Why `eql_v3` is versioned.** The schema name encodes the major API version and is itself part of the public contract β€” a breaking change introduces a new `eql_vN` schema *beside* the old one rather than mutating it, so you migrate on your own timeline. Everything in `eql_v3` is fair game to call. + +**Why `eql_v3_internal` is off-limits.** These are the building blocks β€” term comparators, unsupported-operator blockers, cast helpers β€” that the operators and domain `CHECK` constraints wire together. They carry no stability guarantee and can change or disappear between releases. If you're reaching for `eql_v3_internal.*`, there's a `public` type or an `eql_v3` function that does what you want. + +## Anatomy of an encrypted value + +Every EQL encrypted value is a `jsonb` payload with a shared envelope plus the index terms that make it queryable. Earlier CipherStash docs called this format the **CipherCell** β€” this section is the current definition of the same structure. + +Payloads are **produced** by the encryption clients β€” the [Stack SDK](/reference/stack) and [CipherStash Proxy](/reference/proxy) β€” and **consumed** by EQL's operators and functions inside Postgres. EQL never sees plaintext: it validates, stores, and compares these payloads; it cannot produce or decrypt them. The division is strict: the clients never rely on the database for key material. + +### The envelope + +Every payload carries three envelope keys. Each `eql_v3` domain's `CHECK` constraint requires them, so a value missing any of these is rejected at write time: + +| Key | Contents | Notes | +| --- | --- | --- | +| `v` | The EQL version | `3` β€” the payload version matches the EQL major version. The domain `CHECK`s assert it and raise on any other value. | +| `i` | Ident: `{"t": "", "c": ""}` | Binds the ciphertext to the table and column it was encrypted for. Both keys required. | +| `c` | Ciphertext | The opaque, non-deterministic encrypted blob (mp_base85-encoded). Never used in comparisons. | + + +Payloads produced by EQL v2 clients carried `v: 2`; from 3.0.0 the payload version and the EQL version move together. + + +A `k` discriminator (`"ct"` for a scalar ciphertext, `"sv"` for a JSON document) also appears on payloads emitted by the clients, distinguishing the two top-level shapes. + +### Index-term keys + +Alongside the envelope, a payload carries the index terms for its column's capability. Each key is backed by a SEM (searchable encrypted metadata) type in the `eql_v3_internal` schema: + +| Key | SEM type | Wire shape | Enables | Reveals | +| --- | --- | --- | --- | --- | +| `hm` | `eql_v3_internal.hmac_256` (domain over `text`) | Hex string (HMAC-SHA-256) | `=`, `<>` on `_eq` and `text_search` domains | Whether two values are equal β€” nothing else | +| `ob` | `eql_v3_internal.ore_block_256` (composite: array of `bytea` block terms) | Array of hex-encoded ORE blocks (block count varies by scalar width) | `<`, `<=`, `>`, `>=`, `ORDER BY` on `_ord` / `_ord_ore` domains β€” and `=` / `<>`, since ORE comparison collapses to equality | The relative order of two values | +| `op` | `eql_v3_internal.ope_cllw` (domain over `bytea`) | Hex-encoded CLLW OPE ciphertext | `<`, `<=`, `>`, `>=`, `ORDER BY` on `_ord_ope` domains, and on String / Number leaves of `public.json` | The relative order of two values | +| `bf` | `eql_v3_internal.bloom_filter` (domain over `smallint[]`) | Array of set bit positions (**signed** 16-bit β€” large filters emit negative positions) | `@>` / `<@` token containment on `_match` domains | Probabilistic token overlap between values | + +The capability is encoded as **required keys**: the payload for a `public.text_eq` column must carry `hm`; a `public.integer_ord` payload must carry `ob` (and only `ob`); a `text_match` payload must carry `bf`; a `text_search` payload carries all three. A payload missing its term key fails the domain `CHECK` β€” and fails to deserialize in the client bindings. + +A scalar payload for a `public.text_search` column (lookup + ordering + free-text match, so all three terms are required): + +```json +{ + "v": 3, + "i": { "t": "users", "c": "email" }, + "c": "mBbKmsMM%bK#QQOx1yLDBHyD...", + "hm": "9c8ec1d2f9932b979b1bf3f09f8a4e2f6a41f8de2f0c8b7a52e1f5c3d4b6a790", + "ob": ["7a1fd0c2...", "d24c9be1...", "03fa66b8..."], + "bf": [42, 1290, -8113, 30201] +} +``` + +- `v`, `i`, `c` β€” the envelope +- `hm` β€” equality term: `WHERE email = $1` compares this +- `ob` β€” ordering term: `ORDER BY` and range comparisons walk these blocks +- `bf` β€” bloom-filter term: `@>` token containment tests these bit positions + +Encrypted JSON documents use a different payload shape β€” an `sv` array with one encrypted entry per path in the document instead of a root ciphertext β€” defined in [JSON](/reference/eql/json). + +### Machine-readable schemas + +The [EQL repository](https://github.com/cipherstash/encrypt-query-language) publishes the format as JSON Schema in two places: + +- **`crates/eql-bindings/schema/`** β€” one schema per scalar domain (`$id`s under `https://schemas.cipherstash.com/eql/v3/`), generated from the canonical Rust wire types in the `eql-bindings` crate. TypeScript bindings are generated from the same definitions, so every producer and consumer shares one source of truth. +- **`docs/reference/schema/`** β€” full-payload schemas covering both the scalar and `sv` document shapes. These files are still named for the v2.x payload releases (`eql-payload-v2.2.schema.json`, `eql-payload-v2.3.schema.json`); the v2.3 schema describes the document shape, with the payload version field moving to `3` alongside the EQL 3.0.0 release. + +## The typed-operand rule + +The `eql_v3` domains are backed by `jsonb`. When an operand has no known type β€” a bare string literal, an untyped parameter β€” PostgreSQL reduces the domain to its `jsonb` base type and resolves the **native `jsonb` operator** instead of the encrypted one. The query doesn't fail; it silently returns native `jsonb` semantics, which are meaningless for encrypted payloads. + +```sql +-- ❌ Wrong: untyped parameter. PostgreSQL falls back to the native jsonb `=`, +-- which compares raw payloads β€” syntactically valid, semantically meaningless. +SELECT * FROM users WHERE email = $1; + +-- βœ… Right: typed operand β€” the encrypted `=` resolves. +SELECT * FROM users WHERE email = $1::public.text_eq; +``` + +Always type the operand: a typed parameter (`$1::public.text_eq`) or an explicit cast (`'…'::public.integer_ord`). The [Stack SDK](/reference/stack) and [CipherStash Proxy](/reference/proxy) type bound parameters automatically β€” raw SQL must do it by hand. + +This is the one place where a mistake is *silent*. Everything else fails loudly: + +## Unsupported operations fail loudly + +Unsupported operators are not silent no-ops. Every operator that a variant doesn't support is still *defined* β€” it routes to a blocker function that raises an `operator … is not supported` exception. A mis-typed query fails loudly instead of silently returning wrong results: + +```sql +-- salary is public.bigint_eq (equality only) +SELECT * FROM users WHERE salary > $1::public.bigint_eq; +-- ERROR: operator > is not supported for public.bigint_eq +``` + +A `NULL` operand still raises β€” the blockers are deliberately not `STRICT`, so PostgreSQL can't skip the check. (A SQL `NULL` column value is not encrypted, so `IS NULL` / `IS NOT NULL` themselves always work, on every variant.) + +`LIKE` and `ILIKE` are blocked on **every** encrypted variant β€” pattern matching is meaningless on ciphertext. Encrypted text matching is bloom-filter token containment instead; [Text](/reference/eql/text) covers it. + +One equality subtlety follows from the term table above: on `_ord` / `_ord_ore` columns, `=` and `<>` compare the **ORE (`ob`) term** β€” ORE comparison collapses to equality β€” so `_ord` payloads carry no `hm` term at all. On `_eq` and `text_search` columns, equality compares the HMAC (`hm`) term. + +## What the terms reveal + +Every index term a value carries is extra material stored in the database, and each term class reveals defined structure to an observer who can read the stored payloads: equality terms reveal *value repetition* (which rows share a value), ORE terms reveal *ordering* (which of two values is larger), and bloom terms reveal *probabilistic token overlap*. None of them reveal the plaintext β€” but you should only carry the terms you actually query on. The full analysis of what each term does and doesn't leak is in [Searchable encryption](/concepts/searchable-encryption). diff --git a/content/docs/reference/eql/dates-and-times.mdx b/content/docs/reference/eql/dates-and-times.mdx new file mode 100644 index 0000000..ea8f0a9 --- /dev/null +++ b/content/docs/reference/eql/dates-and-times.mdx @@ -0,0 +1,153 @@ +--- +title: Dates & times +description: "The complete reference for encrypted date and timestamp columns: the domain variants, the ORE-backed payload, and time-window, newest-first, and MIN/MAX queries." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +`date` and `timestamp` columns carry the same capabilities as [encrypted numbers](/reference/eql/numbers) β€” equality, ranges, ordering, `MIN` / `MAX` β€” but the queries they serve are temporal: time windows, newest-first listings, retention cutoffs, "when did this last happen". + +## Variants + +Both types generate the same `jsonb`-backed domain variants. The generic form: + +| Domain variant | Capability | +| --- | --- | +| `public.` | Storage and decryption only. | +| `public._eq` | Equality: `=`, `<>`, `IN`, `GROUP BY`, `DISTINCT`, equijoins. | +| `public._ord` | Comparisons, `BETWEEN`, `ORDER BY`, `MIN` / `MAX` β€” plus equality. | +| `public._ord_ore` | As `_ord`, with the ORE mechanism pinned β€” see [SEM specifiers](#sem-specifiers). | + +And every concrete domain this page covers: + +| Type | Variants | +| --- | --- | +| `date` | `public.date` Β· `public.date_eq` Β· `public.date_ord` Β· `public.date_ord_ore` | +| `timestamp` | `public.timestamp` Β· `public.timestamp_eq` Β· `public.timestamp_ord` Β· `public.timestamp_ord_ore` | + +Time columns are nearly always ranged and sorted, so `_ord` is the usual choice. Declare only the capability you query on β€” each capability stores extra searchable material with defined leakage (see [Searchable encryption](/concepts/searchable-encryption)), and the variant model itself is covered in [Core concepts](/reference/eql/core-concepts). + +### Example + +An audit-events table where the timestamps drive time-window queries and sorting: + +```sql +CREATE TABLE audit_events ( + id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + occurred_at public.timestamp_ord, -- time windows, newest-first, MIN/MAX + review_due public.date_ord, -- range filters + sealed_on public.date -- store and decrypt only +); +``` + +### SEM specifiers + +Both types take the same mechanism specifiers on their orderable variant (the concept is defined in [Core concepts](/reference/eql/core-concepts#sem-specifiers)): + +| Specifier | Meaning | +| --- | --- | +| `_ord` | Orderable, using EQL's default mechanism (currently ORE). | +| `_ord_ore` | Orderable via ORE, pinned explicitly. | + +The EQL v3 release adds an OPE specifier for every orderable type; unspecified `_ord` columns keep tracking the default. + +## Payload + +A value for an `_ord` column carries the shared envelope keys (`v`, `i`, `c` β€” see [Core concepts](/reference/eql/core-concepts)) plus the `ob` ordering term. Here is a payload for the `public.timestamp_ord` `occurred_at` column: + +```json +{ + "v": 3, + "i": { "t": "audit_events", "c": "occurred_at" }, + "c": "mBbKmsMM%bK#QQOx1yLDBHyD...", + "ob": [ + "7a1fd0c2...", "d24c9be1...", "03fa66b8...", "91b7e04d...", + "5c28aa19...", "e6f3071c...", "48d92ab5...", "0b64cf37...", + "2ce8b1f4...", "a90d57e2...", "6f13c8ba...", "d4720e95..." + ] +} +``` + +- **`ob` is the only index term.** An `_ord` payload carries no `hm`: equality on `_ord` variants compares ORE terms, which collapse to equality β€” see [Core concepts](/reference/eql/core-concepts). +- **The `ob` block count varies with the plaintext width** β€” `timestamp` values carry 12 blocks. + +## Operators + +| SQL operator | `public.` | `_eq` | `_ord` / `_ord_ore` | +| --- | :---: | :---: | :---: | +| `=` / `<>` | ❌ | βœ… | βœ… | +| `<` `<=` `>` `>=` | ❌ | ❌ | βœ… | +| `BETWEEN` (desugars to `>=` and `<=`) | ❌ | ❌ | βœ… | +| `IN` (desugars to `=`) | ❌ | βœ… | βœ… | +| `GROUP BY` / `DISTINCT` | ❌ | βœ… | βœ… | +| `ORDER BY` | ❌ | ❌ | βœ… | +| `IS NULL` / `IS NOT NULL` | βœ… | βœ… | βœ… | + +Blocked *operator* cells raise an `operator … is not supported` exception β€” they never silently return wrong rows. `ORDER BY` is the one blocked cell that doesn't raise: it isn't an operator, so sorting a variant without an ordering term runs β€” but the order is meaningless (see [Sorting](/reference/eql/sorting)). Operands must be typed (`$1::public.timestamp_ord`), or PostgreSQL resolves the native `jsonb` operator instead of the encrypted one. Both rules are covered in [Core concepts](/reference/eql/core-concepts). + +## Functions + +Every operator has a function form, for managed platforms that disallow custom operators β€” same typed arguments, identical resolution. The `MIN` / `MAX` aggregates only exist as functions: + +| Function | Equivalent | Available on | +| --- | --- | --- | +| `eql_v3.eq(a, b)` / `eql_v3.neq(a, b)` | `=` / `<>` | `_eq`, `_ord` / `_ord_ore` | +| `eql_v3.lt` / `lte` / `gt` / `gte` | `<` `<=` `>` `>=` | `_ord` / `_ord_ore` | +| `eql_v3.min(col)` / `eql_v3.max(col)` | aggregate `MIN` / `MAX` | `_ord` / `_ord_ore` | + +## Example queries + +### Time window + +```sql +SELECT * FROM audit_events +WHERE occurred_at BETWEEN $1::public.timestamp_ord AND $2::public.timestamp_ord; + +SELECT * FROM audit_events +WHERE review_due BETWEEN $1::public.date_ord AND $2::public.date_ord; +``` + +### Retention cutoff + +```sql +SELECT id FROM audit_events +WHERE occurred_at < $1::public.timestamp_ord; +``` + +### Newest-first listing + +Write the sort key in extractor form to stream rows out of the index already ordered β€” at large row counts this is the difference between seconds and milliseconds (see [Sorting](/reference/eql/sorting)): + +```sql +SELECT * FROM audit_events +WHERE occurred_at >= $1::public.timestamp_ord +ORDER BY eql_v3.ord_term(occurred_at) DESC +LIMIT 10; +``` + +### First and last event + +```sql +SELECT eql_v3.min(occurred_at), eql_v3.max(occurred_at) FROM audit_events; +``` + +## Where to next + + + + The same capabilities on int, float, and numeric columns. + + + Btree recipes on `eql_v3.ord_term` for range, ORDER BY, and MIN/MAX. + + + Why the extractor-form sort key matters, and how to verify with EXPLAIN. + + + WHERE-clause patterns across all encrypted types. + + diff --git a/content/docs/reference/eql/filtering.mdx b/content/docs/reference/eql/filtering.mdx new file mode 100644 index 0000000..6210731 --- /dev/null +++ b/content/docs/reference/eql/filtering.mdx @@ -0,0 +1,126 @@ +--- +title: Filtering +description: "WHERE-clause patterns on encrypted columns: equality, IN lists, ranges and BETWEEN, text token matching, JSON containment, and combining encrypted and plaintext predicates." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Every filter below is ordinary SQL β€” the encrypted operators resolve from the column's domain variant, and a functional index on the matching term extractor serves the predicate. One rule applies throughout: **operands must be typed** (`$1::public.text_eq`, not a bare literal), or PostgreSQL falls through to native `jsonb` semantics. See [Core concepts](/reference/eql/core-concepts) for the typed-operand rule and how unsupported operators fail loudly instead of returning wrong rows. + +## Equality: `=` and `<>` + +Works on `_eq` and `_ord` / `_ord_ore` variants of every scalar, and on `text_search`: + +```sql +SELECT * FROM users WHERE email = $1::public.text_eq; +SELECT * FROM users WHERE tax_id <> $1::public.text_eq; +``` + +On `_eq` and `text_search` columns equality compares the HMAC (`hm`) term. On `_ord` variants there is no `hm` β€” equality compares the ORE (`ob`) term, which collapses to equality, so `_ord` columns get `=` and `<>` for free. See [Core concepts](/reference/eql/core-concepts) for the mechanism. + +```sql +-- salary is public.bigint_ord: equality works without an hm term +SELECT * FROM users WHERE salary = $1::public.bigint_ord; +``` + +Bare storage-only variants (`public.text`, `public.integer`, …) block every comparison β€” see the type pages for what each variant supports: [Numbers](/reference/eql/numbers), [Dates & times](/reference/eql/dates-and-times), [Text](/reference/eql/text), [Booleans](/reference/eql/booleans). + +## `IN` lists + +`IN` desugars to `=`, so it needs the same equality-capable variants. Each list element is a separately encrypted, typed operand: + +```sql +SELECT * FROM users +WHERE email IN ($1::public.text_eq, $2::public.text_eq, $3::public.text_eq); +``` + +There is no way to encrypt a list as one value β€” the client encrypts each element and binds it as its own parameter. `IN (subquery)` also works, subject to the same-keyset rule covered in [Joins](/reference/eql/joins). + +## Ranges and `BETWEEN` + +`<`, `<=`, `>`, `>=` work on `_ord` / `_ord_ore` variants and `text_search` β€” the variants carrying an ORE (`ob`) term: + +```sql +SELECT * FROM users WHERE salary >= $1::public.bigint_ord; + +-- BETWEEN desugars to >= and <= +SELECT * FROM users +WHERE created_at BETWEEN $1::public.timestamp_ord AND $2::public.timestamp_ord; +``` + +Half-open ranges compose the same way: + +```sql +SELECT * FROM events +WHERE occurred_at >= $1::public.timestamp_ord + AND occurred_at < $2::public.timestamp_ord; +``` + +## Text token matching: `@>` + +There is no `LIKE` on encrypted columns β€” encrypted free-text matching is bloom-filter token containment via `@>` on a `text_match` or `text_search` column: + +```sql +SELECT * FROM users WHERE name @> $1::public.text_match; +``` + +The client encrypts the search term into a bloom-filter query value; matching is probabilistic (false positives possible, false negatives not). For the full no-`LIKE` story and match-term tuning, see [Text](/reference/eql/text). + +## JSON containment and path filters + +Encrypted JSON documents (`public.json`) filter by containment and path existence: + +```sql +-- Does the document contain this (encrypted) structure? +SELECT * FROM orders WHERE metadata @> $1::eql_v3.query_jsonb; + +-- Does this path exist in the document? +SELECT * FROM orders WHERE eql_v3.jsonb_path_exists(metadata, 'region_selector'); + +-- Equality on an extracted leaf +SELECT * FROM orders +WHERE metadata -> 'email_selector'::text = $1::public.jsonb_entry; +``` + +Field access is by selector hash, not plaintext path. The full JSON surface β€” containment, field access, path queries, and range filters on extracted leaves β€” is in [JSON](/reference/eql/json). + +## Combining predicates + +Encrypted predicates compose with `AND`, `OR`, `NOT`, and parentheses like any other predicate β€” and plaintext columns filter normally alongside encrypted ones in the same `WHERE` clause: + +```sql +SELECT * FROM users +WHERE status = 'active' -- plaintext column, native operator + AND created_at >= $1::public.timestamp_ord -- encrypted range + AND (email = $2::public.text_eq -- encrypted equality + OR name @> $3::public.text_match); -- encrypted token match +``` + +The planner treats each encrypted predicate independently, so it can combine an index on a plaintext column with a functional index on an encrypted one (bitmap-AND, or whichever plan is cheapest). + +## `IS NULL` and `IS NOT NULL` + +A SQL `NULL` column value is never encrypted β€” there is no payload to encrypt β€” so null checks work on **every** variant, including storage-only ones: + +```sql +SELECT * FROM users WHERE tax_id IS NULL; +SELECT * FROM users WHERE tax_id IS NOT NULL; +``` + +Don't confuse this with a JSON `null` *inside* an encrypted document, which is an encrypted value like any other β€” see [JSON](/reference/eql/json). + +## Shape summary + +| Filter shape | Operators | Works on | Index | +| --- | --- | --- | --- | +| Equality | `=` `<>` `IN` | `_eq`, `_ord` / `_ord_ore`, `text_search` | hash (or btree) on `eql_v3.eq_term` β€” btree on `eql_v3.ord_term` for `_ord` | +| Range | `<` `<=` `>` `>=` `BETWEEN` | `_ord` / `_ord_ore`, `text_search` | btree on `eql_v3.ord_term` | +| Text token match | `@>` `<@` | `text_match`, `text_search` | GIN on `eql_v3.match_term` | +| JSON containment | `@>` `<@` | `public.json` | GIN on `eql_v3.to_ste_vec_query(col)::jsonb` | +| Null check | `IS NULL` / `IS NOT NULL` | every variant | β€” | + +Every one of these has a full index recipe β€” which method, which extractor, and how to confirm the index engages with `EXPLAIN` β€” in [Indexes](/reference/eql/indexes). diff --git a/content/docs/reference/eql/functions.mdx b/content/docs/reference/eql/functions.mdx new file mode 100644 index 0000000..22cf3c0 --- /dev/null +++ b/content/docs/reference/eql/functions.mdx @@ -0,0 +1,72 @@ +--- +title: Functions +description: "Generated catalog of EQL SQL functions and operators (EQL 3.0.0-sample)." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0-sample" +--- + +{/* GENERATED β€” do not edit. Produced by scripts/generate-eql-api-docs.ts from the EQL manifest (v3.0.0-sample). */} + + + + +Generated from the **EQL 3.0.0-sample** manifest (the Doxygen'd SQL is the source of truth). For the model behind these β€” variants, terms, typed operands β€” see [Core concepts](/reference/eql/core-concepts). + + +The EQL SQL surface β€” encrypted domains (in the `public` schema) and the `eql_v3` functions behind them. The type and query pages explain *when* to use these; this page is the exhaustive reference they link to. + +## Encrypted domains + +A column's capability is declared by its **domain variant**. This matrix comes straight from the Rust catalog (`eql-codegen dump-catalog`) β€” the source of truth the SQL is generated from. See [Core concepts](/reference/eql/core-concepts) for the model. + +| Domain | Type | Variant | Capabilities | Operators | +| --- | --- | --- | --- | --- | +| `public.integer` | integer | _(storage only)_ | storage | β€” | +| `public.integer_eq` | integer | `_eq` | equality | `=` `<>` | +| `public.integer_ord` | integer | `_ord` | equality, order | `=` `<>` `<` `<=` `>` `>=` | +| `public.integer_ord_ope` | integer | `_ord_ope` | equality, order | `=` `<>` `<` `<=` `>` `>=` | +| `public.text_match` | text | `_match` | match | `@>` `<@` | +| `public.text_search` | text | `_search` | equality, order, match | `=` `<>` `<` `<=` `>` `>=` `@>` `<@` | +| `public.json` | jsonb | _(storage only)_ | json | β€” | +| `public.jsonb_entry` | jsonb | _(storage only)_ | json | β€” | +| `public.jsonb_query` | jsonb | _(storage only)_ | json | β€” | + +## Functions + +The public `eql_v3` API β€” 2 functions (2 overloads). Internal `eql_v3_internal` functions (3) are implementation detail and omitted. + +### `jsonb_path_query` + +Query encrypted JSONB for sv elements matching a selector. + +Returns one jsonb_entry row per matching encrypted element. + +**Signature:** + +```sql +jsonb_path_query(jsonb, text) +``` + +| Parameter | Type | Description | +| --- | --- | --- | +| `val` | `jsonb` | encrypted EQL payload with sv | +| `selector` | `text` | selector hash | + + +**Returns:** `public.jsonb_entry` β€” matching encrypted entries + +### `version` + +Get the installed EQL version string. + +Returns the version string for the installed EQL library. + +**Signature:** + +```sql +version() +``` + +**Returns:** `text` β€” the version string diff --git a/content/docs/reference/eql/grouping-and-aggregates.mdx b/content/docs/reference/eql/grouping-and-aggregates.mdx new file mode 100644 index 0000000..568be31 --- /dev/null +++ b/content/docs/reference/eql/grouping-and-aggregates.mdx @@ -0,0 +1,106 @@ +--- +title: Grouping & aggregates +description: "GROUP BY, DISTINCT, COUNT, and eql_v3.min/max on encrypted columns β€” why to group on the extractor, and why SUM and AVG stay client-side." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Grouping and deduplication need an equality term, so they work on the same variants as `=`: `_eq`, `_ord` / `_ord_ore`, and `text_search`. `MIN` / `MAX` need an ordering term (`_ord` / `_ord_ore`, `text_search`). Arithmetic aggregates don't work at all β€” that's the last section. As everywhere, operands and call-site casts must be typed; see [Core concepts](/reference/eql/core-concepts). + +## `GROUP BY` and `DISTINCT` + +Both work in natural form on equality-capable variants: + +```sql +SELECT email, COUNT(*) FROM logins GROUP BY email; +SELECT DISTINCT email FROM logins; +``` + +Grouping compares equality terms, so rows encrypting the same plaintext land in the same group β€” but the group key that comes back is ciphertext. Decrypt it in the client if you need to display it. + +## Group on the extractor + +For anything beyond small tables, group on the equality-term extractor instead of the raw column: + +```sql +SELECT eql_v3.eq_term(email) AS email_term, COUNT(*) + FROM logins + GROUP BY eql_v3.eq_term(email); +``` + +The reason is planner economics. `GROUP BY email` uses the entire encrypted payload β€” 1–2 KB per row β€” as the hash key. Postgres estimates a hash table far larger than the default `work_mem` and falls back to a disk-spilling `GroupAggregate`. The extractor key is a small deterministic term: the hash table fits in `work_mem` and the planner picks `HashAggregate` reliably. If an ORM forces the raw-column form, raising `work_mem` is the rescue knob β€” but the extractor form is the design. The same reasoning, from the index-tuning angle, is in [Indexes](/reference/eql/indexes). + +Note the trade-off: grouping on `eq_term` returns the *term*, not the encrypted value β€” fine for counting, but the term itself can't be decrypted. If you need the group key's plaintext, join the grouped result back to the table on the term to recover a representative encrypted value, then decrypt that in the client. + +## `COUNT` and `COUNT(DISTINCT)` + +Plain `COUNT(col)` counts non-`NULL` rows β€” it never compares values, so it works on **any** variant, including storage-only ones: + +```sql +SELECT COUNT(tax_id) FROM users; -- works even on bare public.text +``` + +`COUNT(DISTINCT col)` deduplicates, so it needs an equality-capable variant β€” and the same extractor advice applies: + +```sql +SELECT COUNT(DISTINCT eql_v3.eq_term(email)) FROM logins; +``` + +## `MIN` and `MAX`: `eql_v3.min` / `eql_v3.max` + +EQL ships `min` / `max` aggregates per ord-capable variant of every scalar type. The input type selects the aggregate, and the return type matches the input: + +```sql +eql_v3.min(public._ord) RETURNS public._ord +eql_v3.max(public._ord) RETURNS public._ord +eql_v3.min(public._ord_ore) RETURNS public._ord_ore +eql_v3.max(public._ord_ore) RETURNS public._ord_ore +``` + +Comparison routes through the variant's `<` / `>` operator on the ORE term β€” no decryption happens in the database, and the result is an encrypted value the client decrypts. `NULL` inputs are skipped; an all-`NULL` input set returns `NULL`, matching native aggregate semantics. + +```sql +SELECT eql_v3.min(salary) FROM users; +SELECT eql_v3.max(salary) FROM users WHERE department = 'engineering'; + +-- Combined with grouping +SELECT eql_v3.eq_term(department_code) AS dept, eql_v3.max(salary) + FROM users + GROUP BY eql_v3.eq_term(department_code); +``` + +If the column is generic `jsonb` rather than a domain, cast to the right variant at the call site so overload resolution can pick the aggregate: + +```sql +SELECT eql_v3.min(salary_jsonb::public.bigint_ord) FROM users; +``` + +A btree on `eql_v3.ord_term(col)` serves `MIN` / `MAX` β€” the [Indexes](/reference/eql/indexes) page has the recipe. + +## No `SUM`, no `AVG` + + +**`SUM`, `AVG`, and every other arithmetic aggregate are unsupported** on encrypted columns β€” they would require homomorphic encryption, which EQL does not do. `MIN` / `MAX` work because they only need *comparison*, which the ORE term provides. For sums and averages, select the rows (or `MIN`/`MAX`/`COUNT` server-side to narrow them) and aggregate client-side after decryption. + + +## Grouping on extracted JSON leaves + +Leaves inside an encrypted JSON document group the same way β€” extract the entry by selector, then group on its equality term: + +```sql +SELECT eql_v3.eq_term(metadata -> 'region_selector'::text) AS region, COUNT(*) + FROM orders + GROUP BY eql_v3.eq_term(metadata -> 'region_selector'::text); +``` + +`eql_v3.eq_term` reads whichever term the entry carries, so this works on every JSON node type. String and Number leaves also support `eql_v3.min` / `eql_v3.max` via their CLLW OPE term. Selectors and node capabilities are in [JSON](/reference/eql/json). + +## Where to go next + +- [Indexes](/reference/eql/indexes) β€” the hash/btree recipes that back these shapes, and the full `work_mem` / `HashAggregate` story. +- [Joins](/reference/eql/joins) β€” equality terms across tables, and the same-keyset rule. +- [Filtering](/reference/eql/filtering) β€” the `WHERE` shapes that feed these aggregates. diff --git a/content/docs/reference/eql/index.mdx b/content/docs/reference/eql/index.mdx new file mode 100644 index 0000000..693645a --- /dev/null +++ b/content/docs/reference/eql/index.mdx @@ -0,0 +1,181 @@ +--- +title: EQL +description: "Encrypt Query Language (EQL) installs encrypted column types and operators into Postgres as plain SQL β€” encryption itself happens in your client." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Encrypt Query Language (EQL) is a set of types, operators, and functions for storing and querying encrypted data in PostgreSQL. The [Stash CLI](/reference/cli) installs it over an ordinary database connection β€” no extension packaging, no superuser, no operator classes β€” so it runs on Supabase, RDS, Cloud SQL, and self-hosted Postgres alike. + +EQL itself never encrypts anything. Encryption and decryption happen in the client, using the [Stack SDK](/reference/stack) or [CipherStash Proxy](/reference/proxy). EQL provides the database-side surface those clients query against: encrypted column types, the operators that compare them, and the term-extractor functions that make indexes work. + +Every encrypted column is a `jsonb`-backed domain type in the `public` schema (the functions and operators behind them live in `eql_v3`), and the domain variant you choose declares what the column can do β€” the full model is in [Core concepts](/reference/eql/core-concepts). + +## Install + + + + +### Run the installer + +Point the [Stash CLI](/reference/cli) at your database and install the `eql_v3` schema: + +```bash +npx stash eql install --eql-version 3 +``` + +`stash eql install` scaffolds a [`stash.config.ts`](#configuration) if your project doesn't have one, then installs the `eql_v3` schema β€” all domain types, operators, functions, and aggregates β€” along with the `cs_migrations` tracking schema that the `stash encrypt` commands depend on. It is idempotent: re-running reports that EQL is already installed and changes nothing. Pass `--force` to reinstall in place. + + +`--eql-version 3` selects the native `eql_v3` domain schema this reference documents. Without it the CLI installs EQL v2. v3 installs directly against the database, so the `--drizzle`, `--migration`, and `--latest` flags β€” all v2-only β€” don't apply. + + + + + +### Point it at each database + +The CLI reads the connection string from `DATABASE_URL` (your environment or a `.env` file) and prompts if it can't find one. Override it for a single run β€” handy when installing across several databases β€” with `--database-url`, which is used for that run only and never written to disk: + +```bash +npx stash eql install --eql-version 3 \ + --database-url postgres://user:pass@host:5432/mydb +``` + +Run the installer against every database that stores encrypted columns. + + + + +### Verify + +```bash +npx stash eql status +``` + +Or check directly from SQL: + +```sql +SELECT eql_v3.version(); +-- '3.0.0' +``` + + + + +To pull in a newer EQL release later, run `npx stash eql upgrade --eql-version 3`. + + +To uninstall, drop both EQL schemas: `DROP SCHEMA eql_v3, eql_v3_internal CASCADE`. This removes the encrypted operators and functions, so queries against encrypted columns stop resolving β€” but your data survives: the `public.*` domain types (and the columns typed as them) live in the `public` schema and are left untouched. Remove those separately only if you intend to drop or re-type the columns. + + +### Configuration + +`stash eql install` reads a `stash.config.ts` at your project root, scaffolding one on first run if it's missing. The same file is used by the `stash db` and `stash encrypt` commands. It exports a `defineConfig` object with two fields: + +| Field | Required | Description | +| --- | --- | --- | +| `databaseUrl` | Yes | PostgreSQL connection string. The scaffold sets it to `await resolveDatabaseUrl()`, which resolves from the `--database-url` flag, then `DATABASE_URL` (environment or `.env`), then `supabase status`, then an interactive prompt. The resolved connection string is never written to disk β€” only the declarative call is. | +| `client` | No | Path to your encryption client file. Defaults to `./src/encryption/index.ts`. | + +```ts filename="stash.config.ts" +import { defineConfig, resolveDatabaseUrl } from "stash"; + +export default defineConfig({ + databaseUrl: await resolveDatabaseUrl(), + client: "./src/encryption/index.ts", +}); +``` + +### dbdev + +EQL is also published to [dbdev](https://database.dev/cipherstash/eql). The dbdev release can lag behind GitHub releases, so prefer `stash eql install` when you need the latest version. + +### Docker for local development + +Run a Postgres image with EQL pre-installed: + +```sh +docker run --rm -p 5432:5432 -e POSTGRES_PASSWORD=postgres \ + ghcr.io/cipherstash/postgres-eql:17 +``` + +EQL installs automatically on first boot. Images are available for PostgreSQL 14–17 (`:14` through `:17`), and you can pin a specific EQL version with a suffixed tag (for example `:17-3.0.0`). + +## Permissions + +Installing EQL and running queries against it need different privileges. A common production pattern splits them across two users. + +**Migration user** β€” installs EQL and adds encrypted columns during migrations: + +```sql +GRANT CREATE ON DATABASE your_database TO your_migration_user; +GRANT CREATE ON SCHEMA public TO your_migration_user; +GRANT ALTER ON ALL TABLES IN SCHEMA public TO your_migration_user; +``` + +`CREATE ON DATABASE` lets EQL create its schemas (`eql_v3`, `eql_v3_internal`) and the `public.*` domain types; `CREATE ON SCHEMA` and `ALTER` are needed to add encrypted columns (typed as `public.*` domains, with their `CHECK` constraints) to your tables. + +**Runtime user** β€” the application's day-to-day access: + +```sql +-- EQL schema usage (resolves the encrypted operators / extractors) +GRANT USAGE ON SCHEMA eql_v3 TO your_app_user; +GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA eql_v3 TO your_app_user; + +-- User table access (normal application permissions) +GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE your_tables TO your_app_user; +``` + +Schema changes β€” adding or removing encrypted columns β€” always go through the migration user. + +## Managed Postgres and Supabase + +EQL v3 is designed to install without superuser. There are no custom operator classes (which managed platforms typically block), no `postgresql.conf` changes, and no separate Supabase build β€” the same schema installs everywhere. When the connected role lacks superuser, `stash eql install` detects it and automatically falls back to the no-operator-family install variant, so it works on Supabase, Neon, and RDS without extra flags. Indexing works through ordinary functional indexes over EQL's term-extractor functions, which any user who can `CREATE INDEX` can build. See the [Supabase integration](/integrations/supabase) for platform-specific setup. + +## Understand + + + + Domain variants, the encrypted payload, typed operands, and fail-loud blockers β€” the model every other page assumes. + + + Encrypted integers, floats, and numerics. + + + Encrypted dates and timestamps: time windows, newest-first, retention cutoffs. + + + Encrypted text: equality, ordering, and free-text token matching β€” and why there is no `LIKE`. + + + Encrypted JSON documents: containment, field access, and GIN indexing. + + + Storage-only by design: why encrypted booleans carry no index terms. + + + Functional-index recipes over the term extractors, and what it takes for an index to engage. + + + +## Use + + + + `WHERE` clauses on encrypted columns: equality, ranges, and text containment. + + + `ORDER BY` on encrypted columns, and how to keep the sort in the index. + + + `GROUP BY`, `DISTINCT`, `COUNT`, and the `MIN` / `MAX` aggregates. + + + Equijoins on encrypted columns and the same-keyset rule. + + diff --git a/content/docs/reference/eql/indexes.mdx b/content/docs/reference/eql/indexes.mdx new file mode 100644 index 0000000..df87fb4 --- /dev/null +++ b/content/docs/reference/eql/indexes.mdx @@ -0,0 +1,184 @@ +--- +title: Indexes +description: "Create Postgres indexes on encrypted columns using functional indexes over EQL's term-extractor functions." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +EQL indexes are ordinary PostgreSQL functional indexes over **term-extractor functions** β€” never an index or operator class on the column itself. Each extractor returns a small per-row index term whose return type already carries a default operator class: + +| Extractor | Index method | Term | Capability | +| --- | --- | --- | --- | +| `eql_v3.eq_term(col)` | `hash` (or `btree`) | `hm` (HMAC-256) | equality | +| `eql_v3.ord_term(col)` | `btree` | `ob` (ORE block) | range, `ORDER BY`, `MIN` / `MAX` | +| `eql_v3.match_term(col)` | `gin` | `bf` (bloom filter) | text containment | + +The extractors are inlinable SQL functions, so the planner rewrites a bare-form predicate into the same expression the index was built on. You don't rewrite queries to use the index: + +```sql +SELECT * FROM users WHERE email = $1::public.text_eq; +-- planner inlines `=` to: eql_v3.eq_term(email) = eql_v3.eq_term($1) +-- Index Cond on USING hash (eql_v3.eq_term(email)) +``` + + +EQL v3 deliberately ships no operator class for encrypted columns. Operators resolve against the domain's `jsonb` base type, so an opclass on the column would bypass the encrypted surface. Always index through the extractor. + + +## Index recipes + +Type the column as the domain variant that carries the term (see [Core concepts](/reference/eql/core-concepts) for the variant model, and the per-type pages for specifics), then index the matching extractor: + +```sql +-- Equality: hash index on eq_term +-- (columns typed public._eq or text_search; equality on _ord columns +-- compares ORE terms, so the btree on ord_term below serves it) +CREATE INDEX users_email_eq + ON users USING hash (eql_v3.eq_term(email)); + +-- Range / ordering: btree index on ord_term +-- (columns typed public._ord or _ord_ore) +CREATE INDEX users_created_at_ord + ON users USING btree (eql_v3.ord_term(created_at)); + +-- Text match: GIN index on match_term +-- (columns typed public.text_match or text_search) +CREATE INDEX users_name_match + ON users USING gin (eql_v3.match_term(name)); + +ANALYZE users; +``` + +Run `ANALYZE` after every index build. `CREATE INDEX` on an expression gathers no statistics for that expression β€” without `ANALYZE`, the planner has no histogram for `eql_v3.eq_term(email)` and can misjudge the index it just built. + +Create indexes when the table has a significant number of rows (typically more than 1,000) and you query the column with the matching operator. Drop indexes for capabilities you no longer query β€” duplicate indexes compete for cache and slow writes. + +## Requirements for an index to engage + +All three must hold: + +1. **The value carries the required term.** Equality needs `hm`, range needs `ob`, containment needs `bf`. Which terms travel in a value's payload is decided by the encryption client β€” a value with only a bloom term will not drive an equality index. +2. **The index was built after the data carried the term.** If you change which terms a column's values carry, recreate the index. +3. **The query operand is typed.** A typed parameter (`$1`, which CipherStash Proxy supplies) or an explicit cast resolves the encrypted operator; a bare `jsonb` literal falls through to native `jsonb` semantics and skips the index entirely: + +```sql +-- βœ“ resolves the encrypted operator β†’ uses the index +WHERE email = $1::public.text_eq; +WHERE email = $1; -- only when the client (Stack SDK / Proxy) binds $1 typed + +-- βœ— falls through to native jsonb semantics +WHERE email = '{"hm":"abc"}'::jsonb; +``` + +## Query shapes + +### Equality + +```sql +SELECT * FROM users WHERE email = $1::public.text_eq; +-- Index Scan using users_email_eq +-- Index Cond: (eql_v3.eq_term(email) = eql_v3.eq_term($1)) +``` + +### Range and ORDER BY + +The `<`, `<=`, `>`, `>=` operators inline to comparisons on `eql_v3.ord_term`, so natural-form range predicates match the btree: + +```sql +SELECT * FROM users WHERE created_at < $1::public.timestamp_ord; +``` + +`ORDER BY` needs care. The planner inlines operators in *predicates* but does not rewrite *sort keys*: `ORDER BY created_at` uses the index for the `WHERE` clause but still adds a `Sort` node, which scales linearly with the rows passing the filter. To stream rows out of the btree already ordered, write the sort key in extractor form: + +```sql +SELECT * FROM users + WHERE created_at < $1::public.timestamp_ord + ORDER BY eql_v3.ord_term(created_at) DESC + LIMIT 10; +``` + +ORE terms are order-preserving, so this sorts identically to the natural form β€” it just lets the index do the ordering. At large row counts this is the difference between seconds and milliseconds. + + +If you `SELECT col::jsonb ... ORDER BY col`, Postgres folds the cast into the scan and uses `(col)::jsonb` as the sort key β€” which matches no index. Project the column raw, or write the sort key as `eql_v3.ord_term(col)`, which sidesteps this entirely. + + +### GROUP BY and DISTINCT + +Group on the extractor, not the raw column: + +```sql +SELECT eql_v3.eq_term(email), count(*) + FROM users + GROUP BY eql_v3.eq_term(email); +``` + +`GROUP BY email` uses the entire encrypted payload (1–2 KB per row) as the hash key; Postgres estimates a hash table far larger than the default `work_mem` and falls back to a disk-spilling `GroupAggregate`. The extractor key is a small deterministic term, so the hash table fits in `work_mem` and the planner picks `HashAggregate` reliably. If an ORM forces the raw-column form, raising `work_mem` is the rescue knob β€” but the extractor form is the design. + +## Encrypted JSON + +Containment (`@>` / `<@`) on `public.json` document columns uses a GIN index over `eql_v3.to_ste_vec_query(col)::jsonb`, and field-level equality and ordering have their own extractor recipes. See [JSON](/reference/eql/json). + +## Verify with EXPLAIN + +The first move on a slow query is `EXPLAIN (COSTS OFF)`: + +- **`Index Scan using `** β€” the functional index is engaged. +- **`Index Cond:` referencing the extractor** (`eql_v3.eq_term(...)`, `eql_v3.ord_term(...)`) β€” the inlined predicate matched the index. +- **`Seq Scan`** β€” no index used. Check the three requirements above. +- **`Filter:` showing the raw operator** β€” inlining did not happen. Usual causes: a pinned `search_path` on a customised function, or the planner judging another plan cheaper. +- **`Sort` node above an Index Scan** β€” natural-form `ORDER BY`. Switch the sort key to `eql_v3.ord_term(col)` to eliminate it. + +Once the plan looks right, repeat with `EXPLAIN ANALYZE` to measure actual timings. For a full diagnosis walkthrough, see [query performance troubleshooting](/guides/troubleshooting/query-performance). + +## Building indexes on large tables + +Index *build* time is a separate axis from query time β€” a functional index that queries in a millisecond can take hours to `CREATE` on a large table. + +**Raise `maintenance_work_mem`.** `CREATE INDEX` draws on `maintenance_work_mem` (default 64 MB β€” far too small for a multi-million-row build). It's the single highest-leverage knob: + +```sql +SET maintenance_work_mem = '2GB'; +CREATE INDEX users_email_eq ON users USING btree (eql_v3.eq_term(email)); +``` + +**Prefer `btree` over `hash` for equality on large tables.** A btree build sorts then bulk-loads with sequential writes and can parallelise; a hash build scatters rows to random buckets and degrades to random I/O once the index outgrows cache β€” it cannot parallelise. A btree on `eql_v3.eq_term(col)` serves `=` exactly as well as a hash index, with no query-side cost. Hash is fine up to mid-six-figure row counts. + +**Expect a de-TOAST floor.** A functional index over a large encrypted column de-TOASTs the whole stored value once per row to evaluate the extractor. This cost is identical across access methods and sets the build's floor rate. Index builds are also I/O-heavy in a way queries are not β€” containerised Postgres on a virtualised filesystem (Docker Desktop on macOS, notably) pays a steep penalty, so run large builds on native storage. + +**Watch the build.** From a second session while `CREATE INDEX` runs: + +```sql +SELECT phase, tuples_done, tuples_total, + round(100.0 * tuples_done / nullif(tuples_total, 0), 1) AS pct +FROM pg_stat_progress_create_index; +``` + +A steady `tuples_done` rate is healthy. A rate that decays over time is the cache/memory wall β€” raise `maintenance_work_mem`, and if it's a hash index, rebuild it as a btree. + +## Why this works on managed Postgres + +Everything above is a functional index over an `IMMUTABLE` SQL function β€” no operator class on a column, no superuser, no `postgresql.conf` changes. Managed platforms that block custom operator classes (Supabase among them) run these recipes unchanged, so the indexing model is identical on Supabase, RDS, Cloud SQL, and self-hosted Postgres. See the [Supabase integration](/integrations/supabase). + +## Troubleshooting + +**Index not being used:** + +1. Verify the value carries the term: + + ```sql + SELECT email::jsonb ? 'hm' AS has_hmac, + email::jsonb ? 'ob' AS has_ore_block, + email::jsonb ? 'bf' AS has_bloom + FROM users LIMIT 1; + ``` + +2. Verify the operand is typed (`$1::public.text_eq`, not `$1::jsonb`). +3. Recreate the index if the column's terms changed after it was built. +4. Run `ANALYZE`. Very small tables may still choose a sequential scan β€” that's correct. + +**`=` returns zero rows on a populated column:** equality requires the term its variant compares β€” `hm` on `_eq` / `text_search`, `ob` on `_ord` variants. Type the column as an equality-capable variant and confirm the encryption client is emitting that term. diff --git a/content/docs/reference/eql/joins.mdx b/content/docs/reference/eql/joins.mdx new file mode 100644 index 0000000..2b31347 --- /dev/null +++ b/content/docs/reference/eql/joins.mdx @@ -0,0 +1,114 @@ +--- +title: Joins +description: "Equijoins on encrypted columns: the same-keyset and matching-variant constraint, IN (subquery) and set operations, a worked example, and how to diagnose a join that returns nothing." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Equijoins work on equality-capable variants (`_eq`, `_ord` / `_ord_ore`, `text_search`) β€” the join condition is just encrypted equality. But there is one constraint that has no plaintext equivalent, and it is the single thing to internalize on this page: + + +**Both sides of the join must be encrypted with the same keyset and typed as a matching variant.** Encrypted equality compares deterministic index terms, and those terms are derived from the encryption keys. Two columns encrypted under different keysets produce different terms for the *same plaintext* β€” their terms can **never** match, and the join returns no rows. This is not an error the database can detect: the query is valid, the plan is fine, the result is simply empty. + + +"Matching variant" means both sides compare the same term kind: `_eq` with `_eq` (or `text_search`, which carries an `hm` term too) compares HMAC terms; `_ord` with `_ord` compares ORE terms. An `_eq` column can't join an `_ord` column β€” one side has no `hm`, the other no `ob`, and the equality operator between mismatched variants doesn't resolve. See [Core concepts](/reference/eql/core-concepts) for the term model. + +## Equijoin + +```sql +SELECT u.*, o.total +FROM users u +JOIN orders o ON u.email = o.customer_email; +-- both columns public.text_eq, encrypted with the same keyset +``` + +No typed-operand cast is needed here β€” both operands are encrypted columns, so their domain types resolve the encrypted operator directly. All join types (`INNER`, `LEFT`, `RIGHT`, `FULL`) work; `LEFT JOIN` null-extension behaves normally because SQL `NULL`s are not encrypted. + +Index both sides for anything beyond small tables β€” a hash (or btree) index on `eql_v3.eq_term(col)` on each column. Recipes are in [Indexes](/reference/eql/indexes). + +## `IN (subquery)` and set operations + +Both follow the same rule, because both compare equality terms across two column sources: + +```sql +-- IN (subquery): users.email and orders.customer_email must share a keyset +SELECT * FROM users +WHERE email IN (SELECT customer_email FROM orders WHERE flagged); + +-- Set-operation dedup: UNION / INTERSECT / EXCEPT dedupe by equality term +SELECT email FROM users +UNION +SELECT customer_email FROM orders; +``` + +If the two columns are under different keysets, `IN (subquery)` matches nothing, `INTERSECT` is empty, `EXCEPT` returns everything, and `UNION` never merges duplicates β€” all silently. + +## Worked example + +Two tables sharing an encrypted customer identifier, both columns typed `public.text_eq` and encrypted by the same client configuration (same keyset): + +```sql +CREATE TABLE users ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + email public.text_eq +); + +CREATE TABLE orders ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + customer_email public.text_eq, + total BIGINT NOT NULL +); + +CREATE INDEX users_email_eq ON users USING hash (eql_v3.eq_term(email)); +CREATE INDEX orders_cust_eq ON orders USING hash (eql_v3.eq_term(customer_email)); +ANALYZE users; ANALYZE orders; +``` + +Orders per user, filtered by an encrypted lookup on one side: + +```sql +SELECT u.id, COUNT(o.id) AS order_count +FROM users u +LEFT JOIN orders o ON u.email = o.customer_email +WHERE u.email = $1::public.text_eq +GROUP BY u.id; +``` + +The `WHERE` engages the hash index on `users`; the join condition engages the one on `orders`. The grouping key here is a plaintext `id`, so no extractor is needed β€” grouping on encrypted columns is covered in [Grouping & aggregates](/reference/eql/grouping-and-aggregates). + +## Anti-pattern: joining across keysets + +The failure mode is quiet. A join across keysets doesn't raise, doesn't warn, and produces a plan that looks healthy β€” the terms just never match, so it behaves exactly like a join where no rows happen to correlate: + +```sql +-- users encrypted by service A's keyset, partners by service B's: +SELECT * FROM users u JOIN partners p ON u.email = p.contact_email; +-- 0 rows. Always. Even when the plaintext emails overlap. +``` + +To diagnose a join that returns fewer rows than expected (or none): + +1. **Check the variants.** Both columns must be equality-capable and compare the same term kind. A blocked operator raises loudly, so if the query *runs*, the variants at least resolve β€” but confirm they compare the same term (`hm` vs `ob`). +2. **Compare terms for a known-matching pair.** Take one row from each table that you know holds the same plaintext and compare their equality terms: + + ```sql + SELECT eql_v3.eq_term(u.email) = eql_v3.eq_term(p.contact_email) AS terms_match + FROM users u, partners p + WHERE u.id = 42 AND p.id = 7; -- rows known to share a plaintext value + ``` + + `false` for plaintext-identical values means the terms were derived under different keysets (or different client configurations) β€” no SQL will make them join. +3. **Fix it at the encryption layer.** Configure both columns under the same keyset in the [Stack SDK](/reference/stack) or [CipherStash Proxy](/reference/proxy) and re-encrypt one side. Cross-keyset correlation otherwise has to happen in the client, after decryption. + +Treat shared keysets as part of your schema design: columns you intend to join are a unit, the same way a foreign key pair is. + +## Where to go next + +- [Filtering](/reference/eql/filtering) β€” the equality and `IN` shapes joins are built from. +- [Grouping & aggregates](/reference/eql/grouping-and-aggregates) β€” grouping joined results on encrypted keys. +- [Indexes](/reference/eql/indexes) β€” equality index recipes for both sides of a join. +- [Core concepts](/reference/eql/core-concepts) β€” index terms, variants, and why determinism makes joins possible at all. diff --git a/content/docs/reference/eql/json.mdx b/content/docs/reference/eql/json.mdx new file mode 100644 index 0000000..63add60 --- /dev/null +++ b/content/docs/reference/eql/json.mdx @@ -0,0 +1,270 @@ +--- +title: JSON +description: "The complete reference for encrypted JSON documents with public.json β€” the ste_vec payload shape, containment, field access, and path queries over ciphertext, with the native jsonb operators that don't apply blocked outright." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +`public.json` is EQL's encrypted JSON document type, built on structured encryption (**ste_vec**). The document is encrypted as a vector of encrypted entries β€” one entry per path inside the document β€” and every path is queryable without decryption: containment, field and array access, and equality or range comparisons on extracted leaves. + +Like every EQL type, `public.json` holds ciphertext the database can't read. Encryption, decryption, and selector generation happen in the client β€” the [Stack SDK](/reference/stack) or [CipherStash Proxy](/reference/proxy). See [Searchable encryption](/concepts/searchable-encryption) for how querying ciphertext works at all. + +## The types + +Three `jsonb`-backed domains make up the encrypted JSON surface: + +| Type | What it is | +| --- | --- | +| `public.json` | The column type. An encrypted document envelope carrying an `sv` array β€” one encrypted entry per path in the document. | +| `public.jsonb_entry` | A single entry from the vector: a selector, a ciphertext, and exactly one index term. This is what `->` returns. | +| `eql_v3.query_jsonb` | A containment needle: entries with selectors and index terms but **no ciphertext**. This is what you cast a `@>` operand to. | + +## Payload shape + +An encrypted JSON document uses a different payload shape from the scalar types: the standard envelope keys are present (`v`, `i`, plus the `k: "sv"` discriminator β€” envelope anatomy is covered in [Core concepts](/reference/eql/core-concepts)), but there is no root ciphertext. Instead, an `sv` array carries one encrypted entry per path in the document. Each entry has: + +| Key | Contents | +| --- | --- | +| `s` | Selector β€” a deterministic hash of the JSON path. Required; entry matching compares selectors first. | +| `c` | Ciphertext for the node at that path. | +| `hm` **or** `op` | Exactly one, never both β€” the domain `CHECK` enforces the exclusivity. `hm` (HMAC-256) on Boolean/`null` leaves and Object/Array roots; `op` (CLLW OPE, backed by `eql_v3_internal.ope_cllw`) on String/Number leaves. | +| `a` | Optional array marker β€” `true` when the selector points at an array context. | + +The decoded `op` value starts with a domain-tag byte (`0x00` numeric, `0x01` string) followed by the CLLW ciphertext, so numeric and string values in one column keep a consistent total order. Earlier alphas named this key `oc` and backed it with CLLW ORE; `3.0.0-alpha.4` renamed it to `op` and moved it to CLLW OPE, whose term orders under the default btree operator class. Older payload versions split it further, into `ocf` (fixed-width, numeric) and `ocv` (variable-width, string). + +A document payload for a `public.json` column: + +```json +{ + "v": 3, + "k": "sv", + "i": { "t": "orders", "c": "metadata" }, + "sv": [ + { "s": "2517068c0d1f9d4d41d2c666211f785e", "c": "mBbKmM...", "hm": "b0e0..." }, + { "s": "f510853a4ab9d4f75f51a533ac264c5d", "c": "mBbKmQ...", "op": "01a3f2..." }, + { "s": "33743aed3ae636f6bf05cff11ac4b519", "c": "mBbKmR...", "op": "004e19..." } + ] +} +``` + +- First entry: an object root β€” `hm` only, equality/containment +- Second entry: a string leaf β€” `op` starting with tag `01` +- Third entry: a numeric leaf β€” `op` starting with tag `00` + +A containment **query** payload (`eql_v3.query_jsonb`) has the same `sv` shape but its entries carry no `c` β€” containment matches selectors and index terms, never ciphertexts. This is the needle the client builds for a `@>` query: + +```json +{ + "sv": [ + { "s": "f510853a4ab9d4f75f51a533ac264c5d", "op": "01a3f2..." } + ] +} +``` + +## Storing encrypted JSON + +Type the column as `public.json`: + +```sql +CREATE TABLE orders ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + metadata public.json +); +``` + +There is no database-side configuration step. Which index terms a document carries is decided by the encryption client; typing the column as `public.json` is what makes the encrypted operators and functions resolve. The domain's `CHECK` constraint validates the payload shape on insert, so malformed values are rejected at write time. + +Insert and read through the Stack SDK or Proxy, which encrypt the document into the ste_vec payload on write and decrypt it on read. + +## What each node type supports + +During encryption, the client flattens the document: each unique path gets a deterministic **selector** hash, and each node gets an entry in the `sv` vector carrying index terms for its JSON type: + +| JSON node type | Index term | Equality (`=`, `<>`, `GROUP BY`) | Ordering (`<` … `>=`, `MIN`/`MAX`) | +| --- | --- | --- | --- | +| Object | `hm` (HMAC-256) | Yes | No | +| Array | `hm` (HMAC-256) | Yes | No | +| Boolean / JSON `null` | `hm` (HMAC-256) | Yes | No | +| String | `op` (CLLW OPE, string domain) | Yes | Yes | +| Number | `op` (CLLW OPE, numeric domain) | Yes | Yes | + +Each entry carries exactly one of `hm` or `op` β€” the domain `CHECK` enforces the exclusivity. `hm` is a deterministic hash, so it supports equality only. `op` is a CLLW OPE term that reveals ordering and, being deterministic, collapses to equality on matching selectors β€” `eql_v3.eq_term` reads whichever term an entry carries, so equality works uniformly across all node types. + +JSON `null` here means a `null` literal *inside* the document. A SQL `NULL` column value is not encrypted at all. + +## Blocked native jsonb operators + +These native PostgreSQL `jsonb` operators are **blocked** on `public.json`. They raise an error rather than silently running plaintext-jsonb semantics against the encrypted payload: + +- Key/path existence: `?`, `?|`, `?&`, `@?`, `@@` +- Path extraction: `#>`, `#>>` +- Mutation: `-`, `#-`, `||` +- Root-document comparison: `=`, `<>`, `<`, `<=`, `>`, `>=` + +Use containment (`@>` / `<@`), field access (`->` / `->>`), or the `eql_v3.jsonb_path_*` functions instead. There is no server-side mutation of an encrypted document β€” updates re-encrypt in the client. + + +**Operands must be typed** (`doc -> 'email'::text`, not `doc -> 'email'`) β€” an untyped operand resolves the native `jsonb` operator, bypassing both the encrypted operator and the blockers. See [Core concepts](/reference/eql/core-concepts). + + +## Containment: `@>` and `<@` + +`@>` tests whether the encrypted document contains a structure; `<@` is the reverse. Build the needle with the client and cast it to `eql_v3.query_jsonb` (a typed `public.json` or `public.jsonb_entry` operand also works): + +```sql +SELECT * FROM orders +WHERE metadata @> $1::eql_v3.query_jsonb; +``` + +This is the encrypted equivalent of the plaintext `metadata @> '{"customer": {"tier": "premium"}}'`: containment checks that every encrypted term in the needle exists in the document's `sv` vector. `eql_v3.to_ste_vec_query(doc)` converts a stored document into the needle shape, and `eql_v3.ste_vec_contains(a, b)` is the function form backing `@>`. + +For large tables, back containment with a GIN index. The typed `@>` overload inlines to a native `jsonb @>` over `eql_v3.to_ste_vec_query(col)::jsonb`, so a GIN index on that same expression engages: + +```sql +CREATE INDEX orders_metadata_gin + ON orders USING gin (eql_v3.to_ste_vec_query(metadata)::jsonb jsonb_path_ops); +ANALYZE orders; +``` + +See [Indexes](/reference/eql/indexes) for the full recipes. + +## Field access: `->` and `->>` + +Fields are addressed by **selector hash** β€” the deterministic identifier the client emits for a JSON path during encryption β€” not a plaintext path string like `$.customer.tier`. + +```sql +-- Field access by selector (returns public.jsonb_entry) +SELECT metadata -> 'selector_hash'::text FROM orders; + +-- The entry serialized as text (ciphertext JSON, not decrypted plaintext) +SELECT metadata ->> 'selector_hash'::text FROM orders; + +-- Array element by 0-based index +SELECT metadata -> 0 FROM orders; +``` + +The extracted `public.jsonb_entry` is itself comparable: + +- `=` / `<>` resolve via `eql_v3.eq_term` β€” works on every node type +- `<` / `<=` / `>` / `>=` resolve via `eql_v3.ord_ope_term` β€” String and Number leaves only +- `MIN` / `MAX` over an extracted ordered leaf use the `eql_v3.min` / `eql_v3.max` aggregates + +```sql +-- Equality on an extracted leaf +SELECT * FROM orders +WHERE metadata -> 'email_selector'::text = $1::public.jsonb_entry; + +-- Group by an extracted leaf's equality term +SELECT eql_v3.eq_term(metadata -> 'region_selector'::text) AS region, COUNT(*) +FROM orders +GROUP BY eql_v3.eq_term(metadata -> 'region_selector'::text); +``` + +A hash index on `eql_v3.eq_term(col -> ''::text)` engages the equality lookup; a btree on `eql_v3.ord_ope_term(...)` engages range and `ORDER BY`. The OPE term is a `bytea` domain that orders under the default btree operator class, so this index needs no custom operator class. See [Indexes](/reference/eql/indexes). + +## Path queries and array helpers + +The function forms take the same selector hashes: + +```sql +-- All entries matching a selector +SELECT eql_v3.jsonb_path_query(metadata, 'selector_hash') FROM orders; + +-- First match only +SELECT eql_v3.jsonb_path_query_first(metadata, 'selector_hash') FROM orders; + +-- Does the selector exist in this document? +SELECT eql_v3.jsonb_path_exists(metadata, 'selector_hash') FROM orders; +``` + +For encrypted array nodes: + +```sql +SELECT eql_v3.jsonb_array_length(metadata -> 'items_selector'::text) FROM orders; +SELECT eql_v3.jsonb_array_elements(metadata -> 'items_selector'::text) FROM orders; +SELECT eql_v3.jsonb_array_elements_text(metadata -> 'items_selector'::text) FROM orders; +``` + +`jsonb_array_elements` yields encrypted entries; `jsonb_array_elements_text` yields each element as ciphertext text. + +## Worked example + +An `orders` table with an encrypted `metadata` document. The plaintext your application works with: + +```json +{ + "customer": { + "tier": "premium", + "region": "apac" + }, + "items": ["sku-1042", "sku-2210"] +} +``` + +The client encrypts this into a ste_vec payload with selectors for `$`, `$.customer`, `$.customer.tier`, `$.customer.region`, `$.items`, and each array element β€” every path becomes queryable. + + + + +### Create the table and insert + +```sql +CREATE TABLE orders ( + id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + metadata public.json +); + +INSERT INTO orders (metadata) VALUES ($1); +-- $1 is the encrypted ste_vec payload produced by the Stack SDK or Proxy +``` + + + + +### Query by containment + +Find premium orders. The client encrypts the needle `{"customer": {"tier": "premium"}}` into a `ste_vec_query`: + +```sql +SELECT id FROM orders +WHERE metadata @> $1::eql_v3.query_jsonb; +``` + +Add the GIN index from above once the table grows. + + + + +### Query by path + +Count orders per region, grouping on the encrypted leaf β€” the database never sees `"apac"`: + +```sql +SELECT eql_v3.eq_term(metadata -> 'region_selector'::text) AS region, COUNT(*) +FROM orders +WHERE eql_v3.jsonb_path_exists(metadata, 'region_selector') +GROUP BY 1; +``` + +The rows come back as ciphertext; decrypt them in the client. + + + + +## Where to next + + + + The envelope anatomy, typed-operand rule, and fail-loud behavior shared by every EQL type. + + + GIN containment and field-level functional index recipes. + + + WHERE-clause patterns across all encrypted types. + + diff --git a/content/docs/reference/eql/meta.json b/content/docs/reference/eql/meta.json new file mode 100644 index 0000000..6d448c7 --- /dev/null +++ b/content/docs/reference/eql/meta.json @@ -0,0 +1,23 @@ +{ + "title": "EQL", + "pages": [ + "core-concepts", + "---Types---", + "numbers", + "dates-and-times", + "text", + "json", + "booleans", + "---Indexes---", + "indexes", + "---Queries---", + "filtering", + "sorting", + "grouping-and-aggregates", + "joins", + "---Reference---", + "functions", + "---Previous versions---", + "v2" + ] +} diff --git a/content/docs/reference/eql/numbers.mdx b/content/docs/reference/eql/numbers.mdx new file mode 100644 index 0000000..7c74fd2 --- /dev/null +++ b/content/docs/reference/eql/numbers.mdx @@ -0,0 +1,163 @@ +--- +title: Numbers +description: "The complete reference for encrypted numeric columns: the int, float, and numeric domain variants, the ORE-backed payload they carry, and range, ORDER BY, and MIN/MAX queries." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Six numeric types share one identical query surface: `int2`, `int4`, `int8`, `float4`, `float8`, and `numeric`. These are the columns you filter by range, sort, and take a `MIN` / `MAX` over β€” salaries, totals, rates, quantities. + +Date and time columns have the same capabilities but their own semantics β€” see [Dates & times](/reference/eql/dates-and-times). There is no free-text matching for numeric types β€” `_match` and `_search` are [text-only variants](/reference/eql/text). + +## Variants + +Each numeric type generates the same `jsonb`-backed domain variants. The generic form: + +| Domain variant | Capability | +| --- | --- | +| `public.` | Storage and decryption only. | +| `public._eq` | Equality: `=`, `<>`, `IN`, `GROUP BY`, `DISTINCT`, equijoins. | +| `public._ord` | Comparisons, `BETWEEN`, `ORDER BY`, `MIN` / `MAX` β€” plus equality. | +| `public._ord_ore` | As `_ord`, with the ORE mechanism pinned β€” see [SEM specifiers](#sem-specifiers). | + +And every concrete domain this page covers: + +| Type | Variants | +| --- | --- | +| `int2` | `public.smallint` Β· `public.smallint_eq` Β· `public.smallint_ord` Β· `public.smallint_ord_ore` | +| `int4` | `public.integer` Β· `public.integer_eq` Β· `public.integer_ord` Β· `public.integer_ord_ore` | +| `int8` | `public.bigint` Β· `public.bigint_eq` Β· `public.bigint_ord` Β· `public.bigint_ord_ore` | +| `float4` | `public.real` Β· `public.real_eq` Β· `public.real_ord` Β· `public.real_ord_ore` | +| `float8` | `public.double` Β· `public.double_eq` Β· `public.double_ord` Β· `public.double_ord_ore` | +| `numeric` | `public.numeric` Β· `public.numeric_eq` Β· `public.numeric_ord` Β· `public.numeric_ord_ore` | + +Declare only the capability you query on β€” each capability stores extra searchable material with defined leakage (see [Searchable encryption](/concepts/searchable-encryption)), and the variant model itself is covered in [Core concepts](/reference/eql/core-concepts). + +### Example + +A payroll table mixing the variants by how each column is queried: + +```sql +CREATE TABLE employees ( + id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + salary public.bigint_ord, -- range queries, ORDER BY, MIN/MAX + tax_rate public.numeric_eq, -- exact lookup only + net_worth public.numeric -- store and decrypt only, never queried +); +``` + +### SEM specifiers + +All six types take the same mechanism specifiers on their orderable variant (the concept is defined in [Core concepts](/reference/eql/core-concepts#sem-specifiers)): + +| Specifier | Meaning | +| --- | --- | +| `_ord` | Orderable, using EQL's default mechanism (currently ORE). | +| `_ord_ore` | Orderable via ORE, pinned explicitly. | + +The EQL v3 release adds an OPE specifier for every orderable type; unspecified `_ord` columns keep tracking the default. + +## Payload + +A value for an `_ord` column carries the shared envelope keys (`v`, `i`, `c` β€” see [Core concepts](/reference/eql/core-concepts)) plus the `ob` ordering term. Here is a payload for the `public.bigint_ord` `salary` column: + +```json +{ + "v": 3, + "i": { "t": "employees", "c": "salary" }, + "c": "mBbKmsMM%bK#QQOx1yLDBHyD...", + "ob": [ + "7a1fd0c2...", "d24c9be1...", "03fa66b8...", "91b7e04d...", + "5c28aa19...", "e6f3071c...", "48d92ab5...", "0b64cf37..." + ] +} +``` + +- **`ob` is the only index term.** An `_ord` payload carries no `hm`: equality on `_ord` variants compares ORE terms, which collapse to equality β€” see [Core concepts](/reference/eql/core-concepts). Only `_eq` payloads carry `hm` (a single hex HMAC-SHA-256 string) instead of `ob`. +- **The `ob` block count varies with the plaintext width**: 8 blocks for the int types, 14 for `numeric`. + +## Operators + +| SQL operator | `public.` | `_eq` | `_ord` / `_ord_ore` | +| --- | :---: | :---: | :---: | +| `=` / `<>` | ❌ | βœ… | βœ… | +| `<` `<=` `>` `>=` | ❌ | ❌ | βœ… | +| `BETWEEN` (desugars to `>=` and `<=`) | ❌ | ❌ | βœ… | +| `IN` (desugars to `=`) | ❌ | βœ… | βœ… | +| `GROUP BY` / `DISTINCT` | ❌ | βœ… | βœ… | +| `ORDER BY` | ❌ | ❌ | βœ… | +| `IS NULL` / `IS NOT NULL` | βœ… | βœ… | βœ… | + +Blocked *operator* cells raise an `operator … is not supported` exception β€” they never silently return wrong rows. `ORDER BY` is the one blocked cell that doesn't raise: it isn't an operator, so sorting a variant without an ordering term runs β€” but the order is meaningless (see [Sorting](/reference/eql/sorting)). Operands must be typed (`$1::public.bigint_ord`), or PostgreSQL resolves the native `jsonb` operator instead of the encrypted one. Both rules are covered in [Core concepts](/reference/eql/core-concepts). + +## Functions + +Every operator has a function form, for managed platforms that disallow custom operators β€” same typed arguments, identical resolution. The `MIN` / `MAX` aggregates only exist as functions: + +| Function | Equivalent | Available on | +| --- | --- | --- | +| `eql_v3.eq(a, b)` / `eql_v3.neq(a, b)` | `=` / `<>` | `_eq`, `_ord` / `_ord_ore` | +| `eql_v3.lt` / `lte` / `gt` / `gte` | `<` `<=` `>` `>=` | `_ord` / `_ord_ore` | +| `eql_v3.min(col)` / `eql_v3.max(col)` | aggregate `MIN` / `MAX` | `_ord` / `_ord_ore` | + +**`SUM`, `AVG`, and other arithmetic aggregates are not supported** on encrypted columns β€” they would require homomorphic encryption. `MIN` / `MAX` work because they only need comparison; for sums and averages, decrypt at the application boundary and aggregate client-side. + +## Example queries + +### Range filter + +```sql +SELECT * FROM employees +WHERE salary >= $1::public.bigint_ord; + +SELECT * FROM employees +WHERE salary BETWEEN $1::public.bigint_ord AND $2::public.bigint_ord; +``` + +### MIN and MAX + +`eql_v3.min` / `eql_v3.max` compare ORE terms β€” no decryption happens in the database, and the encrypted result decrypts in the client. `NULL` inputs are skipped; an all-`NULL` input set returns `NULL`: + +```sql +SELECT eql_v3.min(salary) FROM employees; +SELECT eql_v3.max(salary) FROM employees; +``` + +### Sorted listing + +Write the sort key in extractor form to stream rows out of the index already ordered (see [Sorting](/reference/eql/sorting) for why): + +```sql +SELECT * FROM employees +ORDER BY eql_v3.ord_term(salary) DESC +LIMIT 10; +``` + +### Cast at the call site + +On a generic `jsonb` column whose payloads already carry the `ob` term, cast to the right domain in the query: + +```sql +SELECT eql_v3.min(salary_jsonb::public.bigint_ord) FROM employees; +``` + +## Where to next + + + + The same capabilities on date and timestamp columns. + + + Btree recipes on `eql_v3.ord_term` for range, ORDER BY, and MIN/MAX. + + + WHERE-clause patterns across all encrypted types. + + + GROUP BY, DISTINCT, and the aggregate surface on encrypted columns. + + diff --git a/content/docs/reference/eql/sorting.mdx b/content/docs/reference/eql/sorting.mdx new file mode 100644 index 0000000..2529fba --- /dev/null +++ b/content/docs/reference/eql/sorting.mdx @@ -0,0 +1,98 @@ +--- +title: Sorting +description: "ORDER BY on encrypted columns: which variants sort, when to write the sort key in extractor form, keyset pagination, and the ::jsonb projection trap." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +`ORDER BY` on an encrypted column needs an ORE ordering term: it works on `_ord` / `_ord_ore` variants of every scalar and on `text_search`. ORE terms are order-preserving, so the database sorts ciphertext in exactly the order the plaintext would sort β€” without decrypting anything. Which variants carry the term is covered in [Numbers](/reference/eql/numbers), [Dates & times](/reference/eql/dates-and-times), and [Text](/reference/eql/text); the variant model itself is in [Core concepts](/reference/eql/core-concepts). + +Sorting a variant *without* an ORE term (`_eq`, `text_match`, bare storage variants) won't raise β€” but the order is meaningless. Type the column as an `_ord` variant when ordering matters. + +## Bare form vs extractor form + +Both of these sort correctly: + +```sql +-- Bare form +SELECT * FROM users ORDER BY created_at DESC; + +-- Extractor form +SELECT * FROM users ORDER BY eql_v3.ord_term(created_at) DESC; +``` + +The difference is the plan. The planner inlines encrypted operators in *predicates*, so a `WHERE created_at < $1` matches a btree on `eql_v3.ord_term(created_at)` without rewriting β€” but it does **not** rewrite *sort keys*. Bare `ORDER BY created_at` therefore adds a `Sort` node above the scan, and that sort's cost scales linearly with the rows passing the filter. + +Writing the sort key in extractor form makes it textually match the index expression, so rows stream out of the btree already ordered β€” no `Sort` node at all: + +```sql +CREATE INDEX users_created_at_ord + ON users USING btree (eql_v3.ord_term(created_at)); +ANALYZE users; + +SELECT * FROM users + WHERE created_at < $1::public.timestamp_ord + ORDER BY eql_v3.ord_term(created_at) DESC + LIMIT 10; +-- Index Scan Backward using users_created_at_ord β€” no Sort node +``` + +At large row counts this is the difference between seconds and milliseconds, and it matters most for `LIMIT` queries: with a `Sort` node, Postgres must sort *every* matching row before it can return the top 10; streaming from the index, it stops after 10. + +Rule of thumb: bare form is fine for small result sets or when no ordering index exists; any hot query with `ORDER BY ... LIMIT` should use the extractor form. Confirm with `EXPLAIN (COSTS OFF)` β€” a `Sort` node above an `Index Scan` means the sort key didn't match the index. Full plan-reading guidance is in [Indexes](/reference/eql/indexes). + +## `ASC`, `DESC`, and `NULLS` + +`ASC` / `DESC` behave normally β€” a btree serves both directions (backward scans handle `DESC`). SQL `NULL` column values are not encrypted, so `NULLS FIRST` / `NULLS LAST` also behave normally: + +```sql +SELECT * FROM users +ORDER BY eql_v3.ord_term(last_login) DESC NULLS LAST; +``` + +## Keyset pagination + +`OFFSET` pagination degrades on encrypted columns the same way it does on plaintext ones β€” every page re-sorts and discards the rows before the offset. Keyset (cursor) pagination composes an encrypted range filter with an extractor-form sort: + +```sql +-- Page 1 +SELECT id, email, created_at FROM users + ORDER BY eql_v3.ord_term(created_at) DESC + LIMIT 20; + +-- Next page: pass the last row's created_at back, re-encrypted as the cursor +SELECT id, email, created_at FROM users + WHERE created_at < $1::public.timestamp_ord + ORDER BY eql_v3.ord_term(created_at) DESC + LIMIT 20; +``` + +Both the filter and the sort ride the same btree on `eql_v3.ord_term(created_at)`, so every page is an index scan that stops after 20 rows. The client re-encrypts the cursor value for the next request β€” the database only ever sees ciphertext. + +## The `::jsonb` projection trap + + +If you project the column with a cast and sort on it β€” `SELECT col::jsonb ... ORDER BY col` β€” Postgres folds the cast into the scan and uses `(col)::jsonb` as the sort key, which matches no index. Project the column raw and let the client decode it, or write the sort key as `eql_v3.ord_term(col)`, which sidesteps the problem entirely. + + +## Sorting extracted JSON leaves + +String and Number leaves inside an encrypted JSON document carry a CLLW OPE term, so they sort too β€” the extractor is `eql_v3.ord_ope_term` on the extracted entry: + +```sql +SELECT * FROM orders +ORDER BY eql_v3.ord_ope_term(metadata -> 'total_selector'::text) DESC +LIMIT 10; +``` + +A btree on the same `eql_v3.ord_ope_term(...)` expression streams this ordered, exactly like `ord_term` on a scalar column. Selectors, node types, and which leaves are orderable are covered in [JSON](/reference/eql/json). + +## Where to go next + +- [Indexes](/reference/eql/indexes) β€” the btree recipe behind every sort on this page, plus `EXPLAIN` verification and large-table build guidance. +- [Filtering](/reference/eql/filtering) β€” the range predicates that pair with these sorts. +- [Grouping & aggregates](/reference/eql/grouping-and-aggregates) β€” `MIN` / `MAX`, which use the same ordering term. diff --git a/content/docs/reference/eql/text.mdx b/content/docs/reference/eql/text.mdx new file mode 100644 index 0000000..7865e8c --- /dev/null +++ b/content/docs/reference/eql/text.mdx @@ -0,0 +1,185 @@ +--- +title: Text +description: "The complete reference for encrypted text columns: all six text domain variants, the multi-term payload, why LIKE is gone everywhere, and bloom-filter token containment as the encrypted free-text match." +type: reference +components: [eql] +verifiedAgainst: + eql: "3.0.0" +--- + + + +Text is the richest encrypted scalar. Beyond the four variants every scalar type gets, `text` adds two of its own: `text_match` for encrypted free-text matching, and `text_search` for columns you need to look up, sort, *and* search. Emails, names, tax IDs, addresses β€” this page is the full surface for all of them. + +## Variants + +All six are `jsonb`-backed domains. Which one you declare fixes the column's query capability β€” the variant model itself is covered in [Core concepts](/reference/eql/core-concepts): + +| Domain variant | Capability | +| --- | --- | +| `public.text` | Storage and decryption only. | +| `public.text_eq` | Equality: `=`, `<>`, `IN`, `GROUP BY`, `DISTINCT`, equijoins. | +| `public.text_ord` | Comparisons, `BETWEEN`, `ORDER BY`, `MIN` / `MAX` β€” plus equality. | +| `public.text_ord_ore` | As `text_ord`, with the ORE mechanism pinned β€” see [SEM specifiers](#sem-specifiers). | +| `public.text_match` | Free-text token containment: `@>` / `<@`. | +| `public.text_search` | Equality + ordering + token containment. | + +Declare only the capabilities you query on β€” each capability stores extra searchable material with defined leakage (see [Searchable encryption](/concepts/searchable-encryption)). + +### Example + +A users table mixing the variants by how each column is queried: + +```sql +CREATE TABLE users ( + id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY, + email public.text_search, -- lookup, sort, and free-text match + name public.text_match, -- free-text match only + tax_id public.text_eq, -- exact lookup only + notes public.text -- store and decrypt only +); +``` + +### SEM specifiers + +Text takes the same mechanism specifiers as the other orderable types (the concept is defined in [Core concepts](/reference/eql/core-concepts#sem-specifiers)): + +| Specifier | Meaning | +| --- | --- | +| `_ord` | Orderable, using EQL's default mechanism (currently ORE). | +| `_ord_ore` | Orderable via ORE, pinned explicitly. | + +The EQL v3 release adds an OPE specifier for every orderable type β€” including `text` β€” so lexicographic ordering can be pinned to either mechanism; unspecified `_ord` columns keep tracking the default. + +## Payload + +A value for a `text_search` column carries the shared envelope keys (`v`, `i`, `c` β€” see [Core concepts](/reference/eql/core-concepts)) plus all three index terms: + +```json +{ + "v": 3, + "i": { "t": "users", "c": "email" }, + "c": "mBbKmsMM%bK#QQOx1yLDBHyD...", + "hm": "9c8ec1d2f9932b979b1bf3f09f8a4e2f6a41f8de2f0c8b7a52e1f5c3d4b6a790", + "ob": ["7a1fd0c2...", "d24c9be1...", "03fa66b8..."], + "bf": [42, 1290, -8113, 30201] +} +``` + +- `hm` β€” equality term: `WHERE email = $1` compares this +- `ob` β€” ordering term: `ORDER BY` and range comparisons walk these blocks +- `bf` β€” bloom-filter term: `@>` token containment tests these bit positions + +The narrower variants carry only their own term: a `text_eq` payload carries `hm` only, `text_match` carries `bf` only, and `text_ord` / `text_ord_ore` carry `ob` only (no `hm` β€” equality on `_ord` variants compares ORE terms, see [Core concepts](/reference/eql/core-concepts)). A payload missing its variant's required term fails the domain `CHECK` at write time. + +**`bf` positions are signed**: EQL stores the filter as PostgreSQL `smallint[]`, and filters sized above 32768 emit upper-half bit positions as *negative* signed values. Consumers must use a signed 16-bit integer type. + +## Operators + +| SQL operator | `public.text` | `text_eq` | `text_ord` / `text_ord_ore` | `text_match` | `text_search` | +| --- | :---: | :---: | :---: | :---: | :---: | +| `=` / `<>` | ❌ | βœ… | βœ… | ❌ | βœ… | +| `<` `<=` `>` `>=` | ❌ | ❌ | βœ… | ❌ | βœ… | +| `@>` / `<@` | ❌ | ❌ | ❌ | βœ… | βœ… | +| `LIKE` / `ILIKE` (`~~` / `~~*`) | ❌ | ❌ | ❌ | ❌ | ❌ | +| `IN` / `GROUP BY` / `DISTINCT` | ❌ | βœ… | βœ… | ❌ | βœ… | +| `ORDER BY` | ❌ | ❌ | βœ… | ❌ | βœ… | +| `IS NULL` / `IS NOT NULL` | βœ… | βœ… | βœ… | βœ… | βœ… | + +Blocked *operator* cells raise an `operator … is not supported` exception β€” they never silently return wrong rows. `ORDER BY` is the one blocked cell that doesn't raise: it isn't an operator, so sorting a variant without an ordering term runs β€” but the order is meaningless (see [Sorting](/reference/eql/sorting)). Operands must be typed (`$1::public.text_eq`), or PostgreSQL resolves the native `jsonb` operator instead of the encrypted one. Both rules are covered in [Core concepts](/reference/eql/core-concepts). + +## Functions + +Every operator has a function form, for managed platforms that disallow custom operators β€” same typed arguments, identical resolution. The `MIN` / `MAX` aggregates only exist as functions: + +| Function | Equivalent | Available on | +| --- | --- | --- | +| `eql_v3.eq(a, b)` / `eql_v3.neq(a, b)` | `=` / `<>` | `text_eq`, `text_ord` / `text_ord_ore`, `text_search` | +| `eql_v3.lt` / `lte` / `gt` / `gte` | `<` `<=` `>` `>=` | `text_ord` / `text_ord_ore`, `text_search` | +| `eql_v3.contains(a, b)` / `eql_v3.contained_by(a, b)` | `@>` / `<@` | `text_match`, `text_search` | +| `eql_v3.min(col)` / `eql_v3.max(col)` | aggregate `MIN` / `MAX` | `text_ord` / `text_ord_ore`, `text_search` | + +There are no `like` / `ilike` function forms β€” encrypted text matching is `eql_v3.contains` on a `text_match` value. + +## There is no `LIKE` + +`LIKE` and `ILIKE` (`~~` / `~~*`) raise on **every** encrypted-domain variant β€” including `text_match` and `text_search`. SQL pattern matching is meaningless on ciphertext. Encrypted text matching is bloom-filter token containment β€” `@>` on a `text_match` or `text_search` column: + +```sql +-- ❌ Raises: operator not supported +SELECT * FROM users WHERE email LIKE '%alice%'; + +-- βœ… Encrypted free-text match +SELECT * FROM users WHERE email @> $1::public.text_match; +``` + +`@>` / `<@` here is **probabilistic ngram-bloom containment** β€” it tests whether the encrypted text contains the (encrypted) search terms. It is not JSONB containment and not `LIKE`. The client encrypts the search term into a bloom-filter query value; false positives are possible, false negatives are not. There are no `like` / `ilike` function forms either β€” text matching is `eql_v3.contains` on a `text_match` value. + +## Example queries + +### Exact lookup + +Equality on a `text_eq` column compares HMAC terms. `IN` desugars to `=`: + +```sql +SELECT * FROM users WHERE tax_id = $1::public.text_eq; + +SELECT * FROM users +WHERE tax_id IN ($1::public.text_eq, $2::public.text_eq); +``` + +### Free-text match + +The client encrypts the search term into the bloom-filter needle: + +```sql +SELECT * FROM users WHERE name @> $1::public.text_match; + +-- Function form, for platforms without custom operators +SELECT * FROM users WHERE eql_v3.contains(name, $1::public.text_match); +``` + +### The works: `text_search` + +A `text_search` column answers exact lookup, free-text match, and ordering β€” here, all three in one query: + +```sql +SELECT id, email FROM users +WHERE email @> $1::public.text_match -- token containment on bf + AND email <> $2::public.text_eq -- exclude an exact value via hm +ORDER BY eql_v3.ord_term(email) -- sort on ob +LIMIT 20; +``` + +### Sorting text + +ORE terms are order-preserving, so `ORDER BY` sorts encrypted text correctly. Write the sort key in extractor form so a btree index can do the ordering instead of a `Sort` node β€” see [Sorting](/reference/eql/sorting): + +```sql +SELECT * FROM users +ORDER BY eql_v3.ord_term(email) +LIMIT 50; +``` + +`MIN` / `MAX` work on any ord-capable text column too: + +```sql +SELECT eql_v3.min(email) FROM users; +``` + +## Where to next + + + + Hash on `eq_term`, btree on `ord_term`, GIN on `match_term`. + + + WHERE-clause patterns across all encrypted types. + + + Extractor-form sort keys and index-backed ordering. + + + Equijoins on encrypted text columns, and the same-keyset rule. + + diff --git a/content/docs/reference/eql/v2/index.mdx b/content/docs/reference/eql/v2/index.mdx new file mode 100644 index 0000000..d25131a --- /dev/null +++ b/content/docs/reference/eql/v2/index.mdx @@ -0,0 +1,122 @@ +--- +title: EQL v2 +description: PostgreSQL types, operators, and functions for querying encrypted data with EQL v2 (v2.2) β€” the eql_v2_encrypted type and searchable index types. +type: reference +components: [eql] +verifiedAgainst: + eql: "2.2" +--- + + +This section documents **EQL v2** (v2.2), the release existing CipherStash deployments run. Starting a new project? Use **EQL v3** β€” see the [EQL reference](/reference/eql). + + +**Encrypt Query Language (EQL)** is a set of PostgreSQL types, operators, and functions that enable queries on encrypted data without decryption. EQL works seamlessly with the [CipherCell](/reference/eql/v2/payload) format to provide searchable encryption capabilities directly in PostgreSQL. + +## What is EQL? + +EQL provides the database-side components needed to query encrypted data. Unlike traditional PostgreSQL extensions, EQL is implemented as a collection of types, operators, and functions, making it compatible with managed database providers like AWS RDS that restrict extension installation. + +When combined with the [Encryption SDK](/stack/cipherstash/encryption) or [CipherStash Proxy](/stack/cipherstash/proxy), EQL enables: + +- **Exact match queries** using encrypted equality operators +- **Range queries** with order-preserving encryption +- **Pattern matching** using encrypted Bloom filters +- **Unique constraints** on encrypted columns +- **JSON/JSONB operations** on encrypted structured data + +## Core components + +### The `eql_v2_encrypted` type + +The foundation of EQL is the `eql_v2_encrypted` data type, which stores [CipherCells](/reference/eql/v2/payload) containing encrypted data and searchable encrypted metadata. + +```sql +CREATE TABLE users ( + id SERIAL PRIMARY KEY, + email eql_v2_encrypted, + name eql_v2_encrypted +); +``` + + +The `eql_v2_encrypted` type is required for searchable encryption in PostgreSQL. Regular `JSON` or `JSONB` types can store CipherCells but do not support encrypted queries. + + +### Operators + +EQL provides PostgreSQL operators that work directly with encrypted data: + +```sql +-- Exact match +SELECT * FROM users WHERE email = 'encrypted_search_value'::eql_v2_encrypted; + +-- Range queries +SELECT * FROM products WHERE price > 'encrypted_value'::eql_v2_encrypted; + +-- Pattern matching +SELECT * FROM documents WHERE content LIKE '%encrypted_pattern%'; +``` + +### Functions + +EQL ships in the `eql_v2` schema, with functions in three groups: + +- **Configuration** β€” register tables, columns, and searchable indexes in the EQL configuration. +- **Index-term extraction** β€” `eql_v2.hmac_256()` (exact match), `eql_v2.bloom_filter()` (pattern matching), and `eql_v2.ore_block_u64_8_256()` (range) extract a searchable term from an encrypted value. These back the functional indexes β€” see [Setting up indexes](/reference/eql/v2/indexes). +- **Comparison** β€” operators (`=`, `<`, `LIKE`, `@>`, …) are the query surface over encrypted columns. + +For the complete, per-version function reference β€” every signature, parameter, and return type β€” see the [EQL API reference](/stack/reference/eql/), generated from each EQL release. + +## Index types + +EQL supports multiple searchable encryption index types. Each index type enables different query patterns: + +### `unique`: Exact match + +Enables exact equality queries and unique constraints using HMAC-SHA256. + +[Learn more about exact indexes](/stack/cipherstash/encryption/searchable-encryption#exact-match) + +### `ore`: Range queries + +Enables range comparisons (`<`, `>`, `BETWEEN`) and ordering (`ORDER BY`) using Order Revealing Encryption. + +[Learn more about range indexes](/stack/cipherstash/encryption/searchable-encryption#range--order) + +### `match`: Pattern matching + +Enables substring and full-text search (`LIKE`, `ILIKE`) using encrypted Bloom filters with trigrams. + +[Learn more about match indexes](/stack/cipherstash/encryption/searchable-encryption#match-pattern) + +### `ste_vec`: Structured data + +Enables containment queries and JSON-style operations on encrypted arrays and JSONB data. + +## How it works + +EQL leverages PostgreSQL's native indexing capabilities to enable efficient queries on encrypted data. The searchable encrypted metadata within [CipherCells](/reference/eql/v2/payload) is indexed using standard PostgreSQL index types (B-tree for exact/range, GIN for pattern matching). + +When a query is executed: + +1. **Client-side**: The application encrypts the search value using the same encryption scheme, producing a CipherCell with the appropriate searchable encrypted metadata +2. **Database-side**: EQL operators extract and compare the searchable encrypted metadata from both the stored CipherCells and the search CipherCell +3. **Result**: Matching rows are returned without ever decrypting the data in the database + +## Compatibility + +EQL is designed to work with: + +- **PostgreSQL 14+**: Full support for all EQL features +- **Managed databases**: Works with AWS RDS, Azure Database, Google Cloud SQL, and other managed PostgreSQL providers +- **CipherStash SDKs**: Integrates with all CipherStash SDKs as well as CipherStash Proxy + + +Unlike PostgreSQL extensions that require `CREATE EXTENSION`, EQL types and functions are installed directly into your database schema, making it compatible with managed database environments that restrict extension installation. + + +## Related documentation + +- [CipherCell format](/reference/eql/v2/payload): The data structure used by EQL +- [Supported queries](/stack/cipherstash/encryption/searchable-encryption): Available searchable encryption schemes diff --git a/content/docs/reference/eql/v2/indexes.mdx b/content/docs/reference/eql/v2/indexes.mdx new file mode 100644 index 0000000..6a84ca4 --- /dev/null +++ b/content/docs/reference/eql/v2/indexes.mdx @@ -0,0 +1,154 @@ +--- +title: Setting up indexes +description: Create PostgreSQL indexes for encrypted columns. Index syntax differs between self-hosted PostgreSQL and managed databases like Supabase. +type: reference +components: [eql] +verifiedAgainst: + eql: "2.2" +--- + + +EQL v2 reference, for existing v2.2 deployments. New projects use [EQL v3](/reference/eql). + + +Encrypted columns need PostgreSQL indexes for fast queries. Without an index, the database performs a sequential scan: correct but slow at scale. + +Index syntax differs between deployment types. Self-hosted PostgreSQL with full EQL installed supports custom operator classes and can use B-tree indexes directly on `eql_v2_encrypted` columns. Managed databases like Supabase cannot install operator families (they require superuser), so indexes must use extraction functions instead. + +## Deployment matrix + +| Query type | Self-hosted (full EQL) | Supabase | +|---|---|---| +| Equality | `USING btree (col)` with opclass, or `USING hash (eql_v2.hmac_256(col))` | `USING hash (eql_v2.hmac_256(col))` only | +| Range / ORDER BY | `USING btree (col)` with opclass | None (OPE-index work in progress) | +| Pattern match | `USING gin (eql_v2.bloom_filter(col))` | Same | +| JSONB containment | `USING gin (eql_v2.ste_vec(col))` | Same | + + + Range filters (`>`, `>=`, `<`, `<=`) work on Supabase without a range index (they use a sequential scan). `ORDER BY` on encrypted columns is not supported on Supabase at all. Sort application-side after decrypting results. Operator family support for Supabase is in development. + + +--- + +## Equality + +Equality indexes speed up `WHERE col = $1` queries and `IN` lists. + +**Self-hosted (B-tree with operator class):** + +```sql +CREATE INDEX ON users USING btree (email); +``` + +This works because the full EQL install registers a B-tree operator class for `eql_v2_encrypted` that compares HMAC terms. + +**Self-hosted or Supabase (hash on extraction function):** + +```sql +CREATE INDEX ON users USING hash (eql_v2.hmac_256(email)); +``` + +This form works on both deployment types. Use it when you want one index that works everywhere, or when you are on Supabase. + +See queries: [Equality queries](/reference/eql/v2/queries#equality) + +--- + +## Match + +Match indexes speed up `WHERE col LIKE $1` and `ILIKE` queries. They use a GIN index on the Bloom filter extracted from each encrypted value. + +```sql +CREATE INDEX ON users USING gin (eql_v2.bloom_filter(name)); +``` + +This form is identical for self-hosted and Supabase. + +See queries: [Match queries](/reference/eql/v2/queries#match-free-text) + +--- + +## Range and order + +Range indexes support `>`, `>=`, `<`, `<=`, `BETWEEN`, and `ORDER BY` on encrypted columns. + +**Self-hosted (B-tree with operator class):** + +```sql +CREATE INDEX ON users USING btree (age); +``` + +Requires the EQL operator family (`CREATE OPERATOR FAMILY`) to be installed. The full EQL install includes this. The `--exclude-operator-family` install flag omits it. + +**Supabase:** + +Functional range indexes for Supabase are not yet available. Range _filters_ work without an index (sequential scan). `ORDER BY` on encrypted columns is not supported on Supabase. + +See queries: [Range queries](/reference/eql/v2/queries#range-and-ordering) + +--- + +## JSONB + +JSONB indexes support path existence and containment queries on encrypted JSON columns. + +```sql +CREATE INDEX ON documents USING gin (eql_v2.ste_vec(metadata)); +``` + +This form is identical for self-hosted and Supabase. + +See queries: [JSONB queries](/reference/eql/v2/queries#jsonb-queries) + +--- + +## Supabase query forms + +This is the most common source of silent performance problems with encrypted columns on Supabase. + +A functional index on `eql_v2.hmac_256(email)` is only engaged when the query uses the same extraction function. A bare `WHERE email = $1` query does not use the index, even if the index exists. The database falls back to a sequential scan: your query returns correct results, but it scans every row. + +**Wrong (does not use functional index):** + +```sql +SELECT * FROM users WHERE email = $1::eql_v2_encrypted; +``` + +**Right (engages the functional index):** + +```sql +SELECT * FROM users WHERE eql_v2.hmac_256(email) = eql_v2.hmac_256($1::eql_v2_encrypted); +``` + + + SDK wrappers (Drizzle adapter, Supabase wrapper) generate the correct query form automatically. This only matters when you write raw SQL queries against Supabase encrypted columns. If you are using the Drizzle adapter or Supabase wrapper, no action is needed. + + +The same principle applies to `eql_v2.bloom_filter` and `eql_v2.ste_vec` indexes: the extraction function must appear in both the index definition and the query predicate. + +--- + +## Complete example + +```sql filename="migrations/add_encrypted_indexes.sql" +-- Equality index (Supabase-compatible form) +CREATE INDEX users_email_eq_idx ON users USING hash (eql_v2.hmac_256(email)); + +-- Match index +CREATE INDEX users_name_match_idx ON users USING gin (eql_v2.bloom_filter(name)); + +-- JSONB index +CREATE INDEX documents_metadata_ste_idx ON documents USING gin (eql_v2.ste_vec(metadata)); + +-- Range index (self-hosted only β€” requires operator family) +CREATE INDEX users_age_range_idx ON users USING btree (age); +``` + +--- + +## Related + +- [Searchable encryption queries](/reference/eql/v2/queries): Query patterns for each index type +- [Searchable encryption overview](/stack/cipherstash/encryption/searchable-encryption): How searchable indexes work +- [Supabase integration](/stack/cipherstash/supabase): Supabase-specific setup and limitations +- [EQL guide](/reference/eql/v2): Full reference for EQL types and functions diff --git a/content/docs/reference/eql/v2/meta.json b/content/docs/reference/eql/v2/meta.json new file mode 100644 index 0000000..68333fd --- /dev/null +++ b/content/docs/reference/eql/v2/meta.json @@ -0,0 +1,4 @@ +{ + "title": "EQL v2", + "pages": ["indexes", "queries", "payload"] +} diff --git a/content/docs/reference/eql/v2/payload.mdx b/content/docs/reference/eql/v2/payload.mdx new file mode 100644 index 0000000..953264d --- /dev/null +++ b/content/docs/reference/eql/v2/payload.mdx @@ -0,0 +1,309 @@ +--- +title: The CipherCell +description: Understand the CipherCell, the CipherStash JSON format that stores ciphertext, searchable encrypted metadata, and fields for querying encrypted data via EQL. +type: reference +components: [eql] +verifiedAgainst: + eql: "2.2" +--- + + +EQL v2 reference, for existing v2.2 deployments. New projects use [EQL v3](/reference/eql). + + +The **CipherCell** is CipherStash's standard format for storing encrypted data in a database. It is a JSON-based structure that combines **encrypted values**, **searchable encrypted metadata**, and **non-sensitive metadata** into a single, self-contained record. +CipherCells are designed to make encrypted data practical to work with in real applications. They can be stored in existing databases (such as PostgreSQL jsonb columns), indexed, queried, and audited without exposing plaintext. + +## What a CipherCell contains + +A CipherCell typically includes: + +- **Encrypted data** + - The ciphertext for one or more sensitive values. + - Each value is encrypted independently using strong authenticated encryption and unique per-value keys. +- **Searchable Encrypted Metadata (SEM)** + - Additional cryptographic material derived from the plaintext that enables secure querying using searchable encryption. + - This metadata allows operations such as equality checks, range queries, or text search to be performed **without decrypting the data**. + - The database can evaluate queries over this metadata, but cannot recover the original values. +- **Non-sensitive metadata** + - Plaintext fields that are safe to expose, such as schema identifiers, versioning information, timestamps, or application-level IDs. + - Keeping this metadata unencrypted allows efficient filtering, indexing, and integration with existing tooling. + +## How CipherCells are used + +CipherCells are stored directly in the database, usually in a JSON-compatible column. +[Encrypt Query Language (EQL)](/reference/eql/v2) understands this structure and provides database functions and operators that work over CipherCells, enabling encrypted search and filtering while preserving strong security guarantees. + +From an application's perspective, a CipherCell behaves like a regular database value: + +- Applications write encrypted data as JSON +- Databases store and index it +- Queries operate on Searchable Encrypted Metadata (SEM) +- Decryption happens only in trusted application code with the right keys and claims + +## Why CipherCells exist + +The CipherCell format solves a common problem with encryption at rest: traditional encryption makes data opaque and hard to query. CipherCells retain the benefits of encryption while enabling: + +- Fine-grained, **per-value** protection +- Searchable encryption over structured data +- Compatibility with existing databases and ORMs +- Clear separation between sensitive and non-sensitive information + +A CipherCell is the **unit of encrypted storage** in CipherStash: a portable, self-describing JSON record that makes encrypted data usable, searchable, and auditable by default. + +## Structure + + +**Required fields**: Only `i` (identifier) and `v` (version) are required. + +**Payload requirement**: Either `c` (ciphertext) or `sv` (structured encryption vector) must be present, but never both. + +**Optional fields**: All searchable encrypted metadata (SEM) fields are optional and only included when the corresponding index types are configured. + + +A CipherCell is stored as a JSON object with the following top-level structure: + +```json +{ + "i": { + "t": "table_name", + "c": "column_name" + }, + "v": 2, + "c": "encrypted_data_in_messagepack_base85", + "hm": "2e182f0c444d1d51f5f70f32d778b2eaa854f5921a4a2acaa4446c44055cb777", + "ob": ["ore_block_1", "ore_block_2"], + "bf": [1234, 5678, 9012] +} +``` + +## Top-level fields + +### `i` - Identifier + +The table and column identifier for this encrypted data. + +**Type**: Object with `t` (table) and `c` (column) properties + +**Required**: Yes + +```json +{ + "i": { + "t": "users", + "c": "email" + } +} +``` + +This field identifies which table and column the encrypted data belongs to, enabling proper decryption and index usage. + +### `v` - Version + +The encryption version used for this CipherCell. + +**Type**: Integer + +**Required**: Yes + +```json +{ + "v": 2 +} +``` + +The version field allows for cryptographic algorithm upgrades over time while maintaining backward compatibility. + +### `c` - Ciphertext (required unless `sv` is present) + +The encrypted record containing the actual plaintext data. + +**Type**: String (MessagePack encoded and Base85 encoded) + +**Required**: Yes (unless `sv` field is present) + +```json +{ + "c": "Xk}0>Z*pVbW@%*8a%F0@" +} +``` + + +Either `c` or `sv` must be present in every CipherCell, but never both. Use `c` for standard encrypted values and `sv` for structured encryption vectors (arrays or JSON structures). + + +### `a` - Array item flag + +Indicates whether this CipherCell represents an item within an array. + +**Type**: Boolean + +**Required**: No + +```json +{ + "a": true +} +``` + +## Searchable Encrypted Metadata (SEM) + +The CipherCell can contain various types of searchable encrypted metadata, each enabling different query capabilities. All SEM fields are optional and only included when the corresponding index type is configured. + +### `hm` - HMAC-SHA256 + +Enables exact match queries using HMAC-SHA256. + +**Type**: Hex-encoded string (64 characters) + +**Index Type**: [Exact](/stack/cipherstash/encryption/searchable-encryption#exact-match) + +```json +{ + "hm": "2e182f0c444d1d51f5f70f32d778b2eaa854f5921a4a2acaa4446c44055cb777" +} +``` + +### `ob` - ORE Block + +Enables range queries and ordering using Order Revealing Encryption. + +**Type**: Array of strings + +**Index Type**: [Order / Range](/stack/cipherstash/encryption/searchable-encryption#range--order) + +```json +{ + "ob": [ + "01a2b3c4d5e6f7g8h9i0", + "j1k2l3m4n5o6p7q8r9s0" + ] +} +``` + +### `bf` - Bloom Filter + +Enables substring and pattern matching queries using encrypted Bloom filters with trigrams. + +**Type**: Array of integers + +**Index Type**: [Match](/stack/cipherstash/encryption/searchable-encryption#match-pattern) + +```json +{ + "bf": [1234, 5678, 9012, 3456, 7890] +} +``` + +### `b3` - Blake3 + +Blake3 hash for exact matches in structured encryption vectors. + +**Type**: Hex-encoded string + +**Used in**: SteVec (Structured Encryption Vector) subfield + +### `s` - Selector + +Selector value for field selection in structured encryption vectors. + +**Type**: String + +**Used in**: SteVec (Structured Encryption Vector) subfield + +### `ocf` - ORE CLWW Fixed-Width + +ORE CLWW (Chenette-Lewi-Weis-Wu) fixed-width scheme for 64-bit integer values in structured encryption vectors. + +**Type**: String + +**Used in**: SteVec (Structured Encryption Vector) subfield + +### `ocv` - ORE CLWW Variable-Width + +ORE CLWW variable-width scheme for string comparison in structured encryption vectors. + +**Type**: String + +**Used in**: SteVec (Structured Encryption Vector) subfield + +### `sv` - Structured Encryption Vector (SteVec) (required unless `c` is present) + +Nested array of CipherCells for supporting containment queries and JSON-style operations. + +**Type**: Array of CipherCell objects + +**Required**: Yes (unless `c` attribute is present) + +```json +{ + "sv": [ + { + "c": "Xk}0>Z*pVbW@%*8a%F0@", + "hm": "hash1...", + "s": "selector1" + }, + { + "c": "Yl~1?A+qWcX#&+9b&G1#", + "hm": "hash2...", + "s": "selector2" + } + ] +} +``` + +SteVec enables queries on array elements and JSON document structures while maintaining encryption. Each element in the `sv` array is itself a CipherCell that can contain SEM fields like `b3`, `s`, `ocf`, and `ocv`. + +## Complete example + +Here's a complete CipherCell with multiple index types enabled: + +```json +{ + "i": { + "t": "products", + "c": "price" + }, + "v": 2, + "c": "Xk}0>Z*pVbW@%*8a%F0@Yl~1?A+qWcX#&+9b&G1#", + "hm": "2e182f0c444d1d51f5f70f32d778b2eaa854f5921a4a2acaa4446c44055cb777", + "ob": [ + "01a2b3c4d5e6f7g8h9i0", + "j1k2l3m4n5o6p7q8r9s0", + "t1u2v3w4x5y6z7a8b9c0" + ], + "bf": [1234, 5678, 9012, 3456, 7890, 2345, 6789] +} +``` + +This CipherCell: +- Belongs to the `price` column of the `products` table +- Uses encryption version 2 +- Contains the encrypted plaintext value +- Supports exact match queries via `hm` +- Supports range queries and ordering via `ob` +- Supports pattern matching via `bf` + +## Design principles + +### Minimal storage + +Only the index types configured for a column are included in the CipherCell. This minimizes storage overhead and ensures optimal performance. + +### Composable indexes + +Multiple index types can be combined on a single column, enabling both exact matches and range queries, or exact matches and pattern matching, depending on application needs. + +### Forward compatibility + +The version field (`v`) enables cryptographic algorithm upgrades without requiring full database re-encryption. Older versions can coexist with newer versions during migration. + +### Standardized format + +The CipherCell format is consistent across all CipherStash SDKs and tools, ensuring interoperability and portability of encrypted data. + +## Database storage + +CipherCells can be stored as JSON in any database that supports JSON data types. +However, for search to be supported using the [Encryption SDK](/stack/cipherstash/encryption) or [CipherStash Proxy](/stack/cipherstash/proxy), the `eql_v2.encrypted` database type must be used which is available when the Encrypt Query Language (EQL) helpers have been installed. diff --git a/content/docs/reference/eql/v2/queries.mdx b/content/docs/reference/eql/v2/queries.mdx new file mode 100644 index 0000000..cbf0f81 --- /dev/null +++ b/content/docs/reference/eql/v2/queries.mdx @@ -0,0 +1,277 @@ +--- +title: Searchable encryption queries +description: Equality, match, and range query patterns for encrypted PostgreSQL columns, with SDK predicates and raw SQL forms. +type: reference +components: [eql] +verifiedAgainst: + eql: "2.2" +--- + + +EQL v2 reference, for existing v2.2 deployments. New projects use [EQL v3](/reference/eql). + + +This page covers the three query families available for encrypted columns: equality, match (free-text), and range/order. Each section shows the SDK predicate, the raw SQL form, the underlying EQL index, and links to the corresponding index setup. + +For index creation (the `CREATE INDEX` statements your database needs), see [Setting up indexes](/reference/eql/v2/indexes). + +For a conceptual overview of how searchable encryption works, see [Searchable encryption](/stack/cipherstash/encryption/searchable-encryption). + +## Equality + +Exact match on an encrypted column. Uses the `unique` (HMAC-SHA256) index. + +**Schema:** + +```typescript filename="src/schema.ts" +import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema" + +const users = encryptedTable("users", { + email: encryptedColumn("email").equality(), +}) +``` + +**SDK (single value):** + +```typescript filename="src/queries.ts" +const term = await client.encryptQuery("alice@example.com", { + column: users.email, + table: users, + queryType: "equality", +}) + +const result = await pgClient.query( + "SELECT * FROM users WHERE email = $1", + [term.data], +) +``` + +**SDK (IN list):** + +```typescript filename="src/queries.ts" +const terms = await client.encryptQuery([ + { value: "alice@example.com", column: users.email, table: users, queryType: "equality" as const }, + { value: "bob@example.com", column: users.email, table: users, queryType: "equality" as const }, +]) + +// Use each term.data as a separate parameter, or build an ANY($1) query. +``` + +**Drizzle:** + +```typescript filename="src/queries.ts" +const results = await db + .select() + .from(usersTable) + .where(await encryptionOps.eq(usersTable.email, "alice@example.com")) +``` + +**Supabase wrapper:** + +```typescript filename="src/queries.ts" +const { data } = await eSupabase + .from("users", users) + .select("id, email") + .eq("email", "alice@example.com") +``` + +**Raw SQL (self-hosted with EQL operator classes):** + +```sql +SELECT * FROM users WHERE email = $1::eql_v2_encrypted; +``` + +**Raw SQL (Supabase / functional index form):** + +```sql +SELECT * FROM users WHERE eql_v2.hmac_256(email) = eql_v2.hmac_256($1::eql_v2_encrypted); +``` + + + On Supabase, bare `WHERE email = $1` does not use the functional index. Wrap both sides with `eql_v2.hmac_256()` to engage the hash index. The SDK wrappers (Drizzle, Supabase wrapper) handle this automatically. See [Index setup: Supabase callout](/reference/eql/v2/indexes#supabase-query-forms). + + +**Underlying index:** [Equality index setup](/reference/eql/v2/indexes#equality) + +--- + +## Match (free-text) + +Substring and full-text search on an encrypted column. Uses the `match` (Bloom filter) index. Corresponds to `LIKE` / `ILIKE` semantics. + +**Schema:** + +```typescript filename="src/schema.ts" +const users = encryptedTable("users", { + name: encryptedColumn("name").freeTextSearch(), +}) +``` + +**SDK:** + +```typescript filename="src/queries.ts" +const term = await client.encryptQuery("alice", { + column: users.name, + table: users, + queryType: "freeTextSearch", +}) + +const result = await pgClient.query( + "SELECT * FROM users WHERE name LIKE $1", + [term.data], +) +``` + +**Drizzle:** + +```typescript filename="src/queries.ts" +const results = await db + .select() + .from(usersTable) + .where(await encryptionOps.ilike(usersTable.name, "%alice%")) +``` + +**Supabase wrapper:** + +```typescript filename="src/queries.ts" +const { data } = await eSupabase + .from("users", users) + .select("id, name") + .ilike("name", "%alice%") +``` + +**Raw SQL:** + +```sql +SELECT * FROM users WHERE name LIKE $1; +``` + +The Bloom filter index uses a GIN index on the extracted filter term. See [Match index setup](/reference/eql/v2/indexes#match). + +**Underlying index:** [Match index setup](/reference/eql/v2/indexes#match) + +--- + +## Range and ordering + +Comparison (`>`, `>=`, `<`, `<=`, `BETWEEN`) and `ORDER BY` on an encrypted column. Uses the `ore` (Order Revealing Encryption) index. + +**Schema:** + +```typescript filename="src/schema.ts" +const users = encryptedTable("users", { + age: encryptedColumn("age").dataType("number").orderAndRange(), +}) +``` + +**SDK (range filter):** + +```typescript filename="src/queries.ts" +const term = await client.encryptQuery(21, { + column: users.age, + table: users, + queryType: "orderAndRange", +}) + +const result = await pgClient.query( + "SELECT * FROM users WHERE age > $1", + [term.data], +) +``` + +**SDK, ORDER BY (self-hosted only):** + +```typescript filename="src/queries.ts" +// Self-hosted PostgreSQL with EQL operator families installed: +const result = await pgClient.query( + "SELECT * FROM users ORDER BY age ASC", +) + +// Without operator family support (Supabase, or --exclude-operator-family): +const result = await pgClient.query( + "SELECT * FROM users ORDER BY eql_v2.ore_block_u64_8_256(age) ASC", +) +``` + +**Drizzle:** + +```typescript filename="src/queries.ts" +// Range +const results = await db + .select() + .from(usersTable) + .where(await encryptionOps.gte(usersTable.age, 18)) + +// Sort (requires operator family support; not available on Supabase) +const results = await db + .select() + .from(usersTable) + .orderBy(encryptionOps.asc(usersTable.age)) +``` + +**Supabase wrapper:** + +```typescript filename="src/queries.ts" +// Range filter works +const { data } = await eSupabase + .from("users", users) + .select("id, age") + .gte("age", 18) + +// ORDER BY on encrypted columns is not supported on Supabase. +// Sort application-side after decrypting. +``` + + + `ORDER BY` on encrypted columns requires EQL operator families, which need superuser access to install. Supabase does not grant superuser. Range _filters_ (`>`, `>=`, `<`, `<=`) work on both self-hosted and Supabase. Sorting on encrypted columns is not currently supported on Supabase. Sort application-side after decrypting results. Operator family support for Supabase is being developed in collaboration with the Supabase and CipherStash teams. + + +**Underlying index:** [Range index setup](/reference/eql/v2/indexes#range-and-order) + +--- + +## JSONB queries + +Query encrypted JSON columns using path existence or containment. Uses the `ste_vec` index. + +**Schema:** + +```typescript filename="src/schema.ts" +const documents = encryptedTable("documents", { + metadata: encryptedColumn("metadata").searchableJson(), +}) +``` + +**SDK (path existence):** + +```typescript filename="src/queries.ts" +const term = await client.encryptQuery("$.user.role", { + column: documents.metadata, + table: documents, +}) + +const result = await pgClient.query( + "SELECT * FROM documents WHERE eql_v2.ste_vec(metadata) @> $1", + [term.data], +) +``` + +**SDK (containment):** + +```typescript filename="src/queries.ts" +const term = await client.encryptQuery({ role: "admin" }, { + column: documents.metadata, + table: documents, +}) +``` + +**Drizzle:** + +```typescript filename="src/queries.ts" +const results = await db + .select() + .from(documentsTable) + .where(await encryptionOps.jsonbPathExists(documentsTable.metadata, "$.user.role")) +``` + +**Underlying index:** [JSONB index setup](/reference/eql/v2/indexes#jsonb) diff --git a/content/docs/reference/glossary.mdx b/content/docs/reference/glossary.mdx new file mode 100644 index 0000000..3a75a94 --- /dev/null +++ b/content/docs/reference/glossary.mdx @@ -0,0 +1,156 @@ +--- +title: Glossary +description: "Definitions of key CipherStash concepts and terms, from ZeroKMS, keysets, and client keys to EQL, HMAC, and searchable encryption." +type: reference +--- + +## A + +### ABAC (Attribute Based Access Control) + +A dynamic security model that makes access decisions based on a variety of attributes, including user characteristics, resource details, and environmental factors. Unlike [RBAC](#rbac-role-based-access-control), which relies solely on a user's assigned role, ABAC offers more granular and context-aware policies that adapt to changing conditions. + +### Access key + +A persistent authentication credential used for communication with [ZeroKMS](#zerokms) or [CTS](#cts-cipherstash-token-service). See [access keys](/stack/cipherstash/kms/access-keys). + +### Account management + +Activities to administer your CipherStash account, such as billing and adding or removing users. See [billing](/reference/workspace/billing) and [members](/reference/workspace/members). + +## C + +### Ciphertext + +An encrypted version of plaintext, produced by applying an encryption algorithm (a cipher). It is unreadable without a cipher to decrypt it. + +See also: [plaintext](#plaintext). + +### CipherStash CLI + +The command line tool (`stash`) for interacting with CipherStash services. See the [CLI reference](/reference/cli). + +### CipherStash Proxy + +A database proxy that sits between an application and a database, adding encryption in use. Proxy works alongside your existing infrastructure and is fully contained within your environment. See the [Proxy reference](/reference/proxy). + +### Client key + +The cryptographic credential assigned to a programmatic access point for a [keyset](#keyset). A client key can have access to many keysets, and a keyset can be shared by multiple client keys. + +There are two types: + +- **Device-backed client keys** are created automatically by `stash init` and tied to a developer's [device](#device). Used for local development. +- **Application client keys** are created in the Dashboard for production and CI/CD. Identified by a [client ID](#client-id) and client key value, set via environment variables. + +See [client keys](/stack/cipherstash/kms/clients). + +### Client ID + +A unique identifier for a [client key](#client-key). Each client key and client ID is unique to your app. + +### Client key value + +The secret credential set via `CS_CLIENT_KEY`. Together with the [client ID](#client-id), it forms the credential pair for a [client key](#client-key). The client key value is sensitive and must be kept secret. + +### CTS (CipherStash Token Service) + +CTS manages the trust relationships between a workspace and third-party or customer identity providers. It brokers secure access to CipherStash services such as ZeroKMS, ensuring that only authenticated and authorized users gain entry. See [CTS](/stack/cipherstash/kms/cts). + +## D + +### Dashboard + +The web interface for managing CipherStash Cloud primitives: workspaces, client keys, keysets, access keys, devices, and members. Available at [dashboard.cipherstash.com](https://dashboard.cipherstash.com/). + +The Dashboard manages cloud infrastructure. Product-specific configuration (encryption schemas, secrets, proxy rules) is handled by the SDKs and CLI. + +### Data access event + +An event triggered by execution of SQL statements by CipherStash Proxy. Includes metadata of statements executed and records accessed. + +### Device + +A unique identity tied to a developer's device and user account, created by `stash init`. Each device has an associated [client key](#client-key) that is automatically granted access to the default [keyset](#keyset). + +Devices are used for local development authentication, with no environment variables required. Production environments use application [client keys](#client-key) instead. See the [quickstart](/stack/quickstart). + +## E + +### EQL (Encrypt Query Language) + +Our [open-source library](https://github.com/cipherstash/encrypt-query-language) for PostgreSQL users. EQL provides the database-side surface for querying encrypted data: encrypted column types, the operators that compare them, and the term-extractor functions that make indexes work. EQL itself never encrypts anything. See the [EQL reference](/reference/eql). + +## H + +### HMAC (Hash-based Message Authentication Code) + +A cryptographic technique that combines a hash function with a secret key to verify both the integrity and authenticity of a message. Unlike raw hash functions such as SHA-256, HMAC requires a secret key, so only parties with the key can generate valid HMACs. This prevents attackers from pre-computing hash tables (rainbow tables) or guessing values. + +In searchable encryption, HMACs create encrypted search tokens. The key stays on the application side, so the server can match encrypted search tokens without ever learning the plaintext or being able to generate new tokens. See [searchable encryption](/concepts/searchable-encryption) for what an HMAC term does and does not reveal. + +## I + +### IdP (Identity Provider) + +A third-party identity provider, such as Auth0, Okta, or Clerk. + +## J + +### JWT (JSON Web Token) + +A compact, URL-safe means of representing claims between two parties as a JSON object, typically used for authentication and authorization. JWTs are digitally signed to ensure the integrity and authenticity of the information, allowing systems to verify user identity without maintaining server-side sessions. + +## K + +### Keyset + +A core CipherStash Cloud primitive for cryptographic isolation, managed by [ZeroKMS](#zerokms). Each keyset maintains its own set of data encryption keys, and data encrypted under one keyset cannot be decrypted with another. + +Use keysets for tenant isolation, environment separation, regional compliance, or any cryptographic boundary your architecture requires. A [client key](#client-key) can access many keysets, and a keyset can be shared by multiple client keys. In the Secrets SDK, environments map directly to keysets. + +See [keysets](/stack/cipherstash/kms/keysets). + +## O + +### OIDC (OpenID Connect) + +An identity layer built on top of the OAuth 2.0 protocol that enables applications to verify user identity through an [identity provider](#idp-identity-provider). It facilitates secure single sign-on and standardizes how the identity provider shares identity information, using RESTful APIs and [JSON Web Tokens](#jwt-json-web-token). + +### ORE (Order Revealing Encryption) + +A searchable encryption technique allowing comparison and sorting of encrypted data without decryption. ORE terms reveal the relative order of the values they encode. See [sorting](/reference/eql/sorting) and [searchable encryption](/concepts/searchable-encryption). + +## P + +### Plaintext + +Unencrypted information, readable by humans and computers. + +## R + +### RBAC (Role Based Access Control) + +A security model that assigns access permissions based on a user's role within an organization, streamlining the management of access rights by grouping permissions into predefined roles. Unlike [ABAC](#abac-attribute-based-access-control), which evaluates policies based on a range of attributes, RBAC relies solely on roles. + +## S + +### Searchable encrypted metadata + +An encrypted data structure for finding records in encrypted columns, carried in the value's payload alongside the ciphertext. It replaces the need for full table scans, and supports range, exact, and match queries. + +See [core concepts](/reference/eql/core-concepts) for payload anatomy, and [searchable encryption](/concepts/searchable-encryption) for what each index term reveals. + +## W + +### Workspace + +A workspace contains [keysets](#keyset), client keys, and configuration. A workspace can separate environments (such as dev and prod), be shared with other users, and be associated with a custom identity provider. + +See [workspace and account](/reference/workspace). + +## Z + +### ZeroKMS + +CipherStash's key management service. ZeroKMS provides high-performance batch encryption and decryption, enabling a unique encryption key per field. See [ZeroKMS](/stack/cipherstash/kms). diff --git a/content/docs/reference/index.mdx b/content/docs/reference/index.mdx new file mode 100644 index 0000000..997dff4 --- /dev/null +++ b/content/docs/reference/index.mdx @@ -0,0 +1,9 @@ +--- +title: Reference +description: "Precise API documentation for EQL, the Stack SDK, Auth, the CLI, and Proxy." +type: reference +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/reference/meta.json b/content/docs/reference/meta.json new file mode 100644 index 0000000..83f32fd --- /dev/null +++ b/content/docs/reference/meta.json @@ -0,0 +1,16 @@ +{ + "title": "Reference", + "icon": "Library", + "pages": [ + "index", + "eql", + "stack", + "auth", + "cli", + "proxy", + "workspace", + "...", + "agent-skills", + "glossary" + ] +} diff --git a/content/docs/reference/proxy/configuration.mdx b/content/docs/reference/proxy/configuration.mdx new file mode 100644 index 0000000..4316a2f --- /dev/null +++ b/content/docs/reference/proxy/configuration.mdx @@ -0,0 +1,360 @@ +--- +title: Configuration +description: "Install and configure CipherStash Proxy: Docker, TOML and environment variables, logging, Prometheus metrics, and the CLI." +type: reference +components: [proxy, eql] +--- + +CipherStash Proxy is available as a [container image](https://hub.docker.com/r/cipherstash/proxy) on Docker Hub. Deploy it locally, as a cloud sidecar, or as a standalone binary. It speaks the PostgreSQL protocol, so your application connects to Proxy exactly the same way it connects to PostgreSQL. + +## Installing Proxy + +The quickest way to run Proxy alongside your application is to add a container to your `docker-compose.yml`: + +```yaml filename="docker-compose.yml" +services: + app: + # Your app container config + db: + # Your Postgres container config + proxy: + image: cipherstash/proxy:latest + container_name: proxy + ports: + - 6432:6432 + - 9930:9930 + environment: + - CS_DATABASE__HOST=${CS_DATABASE__HOST} + - CS_DATABASE__PORT=${CS_DATABASE__PORT} + - CS_DATABASE__USERNAME=${CS_DATABASE__USERNAME} + - CS_DATABASE__PASSWORD=${CS_DATABASE__PASSWORD} + - CS_DATABASE__NAME=${CS_DATABASE__NAME} + - CS_WORKSPACE_CRN=${CS_WORKSPACE_CRN} + - CS_CLIENT_ACCESS_KEY=${CS_CLIENT_ACCESS_KEY} + - CS_DEFAULT_KEYSET_ID=${CS_DEFAULT_KEYSET_ID} + - CS_CLIENT_ID=${CS_CLIENT_ID} + - CS_CLIENT_KEY=${CS_CLIENT_KEY} + - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true} +``` + +For a fully working example, see the [docker-compose.yml](https://github.com/cipherstash/proxy/blob/main/docker-compose.yml) in the Proxy repository. + +Start the container, then connect your PostgreSQL client to Proxy on TCP 6432: + +```bash cta cta-type="install" example-id="proxy-docker-compose-up" +docker compose up +``` + + +Unlike the Stack SDK, Proxy **always requires credentials to be supplied explicitly**, because it runs as a separate process or container and cannot use the host's device-based authentication. + +For local development, create a client key and access key in the [Dashboard](https://dashboard.cipherstash.com). For production, see [Going to production](/stack/deploy/going-to-production). + + +## Setting up the database schema + +Proxy queries encrypted data through [EQL](/reference/eql), which must be installed in the target database. Encrypted columns are typed with an EQL domain such as `public.text_eq`, and that type is what fixes the column's searchable capability. There is no database-side configuration table. + +- [Install EQL](/reference/eql) covers the install itself, including the permissions split and Supabase. +- [Core concepts](/reference/eql/core-concepts) covers the variant model and which domain type to choose. +- [Indexes](/reference/eql/indexes) covers adding functional indexes over the term extractors. + +In development, the Proxy container can install EQL for you on startup: + +```bash +CS_DATABASE__INSTALL_EQL=true +``` + +Check the installed version: + +```sql +SELECT eql_v3.version(); +``` + + +`CS_DATABASE__INSTALL_EQL` is for development only. In production, install EQL as a database migration. + + +## Configuration loading order + +Proxy accepts configuration from a TOML file, environment variables, or both. + +1. If `cipherstash-proxy.toml` exists in the current working directory, Proxy reads it first. +2. Proxy then reads any environment variables that are set. +3. When both are present, environment variables override values from the TOML file. + +## Config options + +### `[server]` + +| Option | Env variable | Default | Description | +|---|---|---|---| +| `host` | `CS_SERVER__HOST` | `0.0.0.0` | Proxy listen address | +| `port` | `CS_SERVER__PORT` | `6432` | Proxy listen port | +| `require_tls` | `CS_SERVER__REQUIRE_TLS` | `false` | Enforce TLS for client-to-proxy connections | +| `shutdown_timeout` | `CS_SERVER__SHUTDOWN_TIMEOUT` | `2000` | Milliseconds to wait for connections to drain on shutdown | +| `worker_threads` | `CS_SERVER__WORKER_THREADS` | `NUMBER_OF_CORES/2` or `4` | Number of server worker threads | +| `thread_stack_size` | `CS_SERVER__THREAD_STACK_SIZE` | `2097152` (2 MiB) | Thread stack size in bytes. Automatically set to 4 MiB when log level is `debug` or `trace` | +| `cipher_cache_size` | `CS_SERVER__CIPHER_CACHE_SIZE` | `64` | Maximum number of encryption/decryption operations to cache | +| `cipher_cache_ttl_seconds` | `CS_SERVER__CIPHER_CACHE_TTL_SECONDS` | `3600` | Seconds before cached cipher operations expire | + +### `[database]` + +| Option | Env variable | Default | Description | +|---|---|---|---| +| `host` | `CS_DATABASE__HOST` | `0.0.0.0` | Database host address | +| `port` | `CS_DATABASE__PORT` | `5432` | Database port | +| `name` | `CS_DATABASE__NAME` | (required) | Database name | +| `username` | `CS_DATABASE__USERNAME` | (required) | Database username | +| `password` | `CS_DATABASE__PASSWORD` | (required) | Database password | +| `connection_timeout` | `CS_DATABASE__CONNECTION_TIMEOUT` | none | Milliseconds to hold an idle connection open. In production, set this higher than your application's connection pool idle timeout | +| `with_tls_verification` | `CS_DATABASE__WITH_TLS_VERIFICATION` | `false` | Enable TLS verification between Proxy and the database | +| `config_reload_interval` | `CS_DATABASE__CONFIG_RELOAD_INTERVAL` | `60` | Seconds between encrypted index configuration reloads | +| `schema_reload_interval` | `CS_DATABASE__SCHEMA_RELOAD_INTERVAL` | `60` | Seconds between database schema reloads | + +### `[tls]` + +Configure TLS for client-to-proxy connections. Provide either file paths or inline PEM strings. + +| Option | Env variable | Description | +|---|---|---| +| `certificate_path` | `CS_TLS__CERTIFICATE_PATH` | Path to the public certificate `.crt` file | +| `private_key_path` | `CS_TLS__PRIVATE_KEY_PATH` | Path to the private key file | +| `certificate_pem` | `CS_TLS__CERTIFICATE_PEM` | Public certificate as a PEM string | +| `private_key_pem` | `CS_TLS__PRIVATE_KEY_PEM` | Private key as a PEM string | + +### `[auth]` + +| Option | Env variable | Description | +|---|---|---| +| `workspace_crn` | `CS_WORKSPACE_CRN` | CipherStash workspace CRN | +| `client_access_key` | `CS_CLIENT_ACCESS_KEY` | CipherStash client access key | + +### `[encrypt]` + +| Option | Env variable | Description | +|---|---|---| +| `default_keyset_id` | `CS_DEFAULT_KEYSET_ID` | Default keyset. Omit to enable [multitenant operation](/reference/proxy/multitenant) | +| `client_id` | `CS_CLIENT_ID` | CipherStash client ID | +| `client_key` | `CS_CLIENT_KEY` | CipherStash client key | + +### `[log]` + +| Option | Env variable | Default | Description | +|---|---|---|---| +| `level` | `CS_LOG__LEVEL` | `info` | Global log level. Valid values: `error`, `warn`, `info`, `debug`, `trace` | +| `format` | `CS_LOG__FORMAT` | `pretty` (terminal), `structured` (non-terminal) | Log format. Valid values: `pretty`, `text`, `structured` (JSON) | +| `output` | `CS_LOG__OUTPUT` | `stdout` | Log output destination. Valid values: `stdout`, `stderr` | +| `ansi_enabled` | `CS_LOG__ANSI_ENABLED` | `true` (terminal), `false` (non-terminal) | Enable colored output | +| `slow_statements` | `CS_LOG__SLOW_STATEMENTS` | `false` | Enable slow statement logging | +| `slow_statement_min_duration_ms` | `CS_LOG__SLOW_STATEMENT_MIN_DURATION_MS` | `2000` | Minimum duration in milliseconds for a statement to be considered slow | +| `slow_db_response_min_duration_ms` | `CS_LOG__SLOW_DB_RESPONSE_MIN_DURATION_MS` | `100` | Minimum duration in milliseconds for a database response to be considered slow | + +### `[prometheus]` + +| Option | Env variable | Default | Description | +|---|---|---|---| +| `enabled` | `CS_PROMETHEUS__ENABLED` | `false` | Enable the Prometheus metrics exporter | +| `port` | `CS_PROMETHEUS__PORT` | `9930` | Port for the Prometheus exporter | + +## Full TOML example + +```toml filename="cipherstash-proxy.toml" +[server] +host = "0.0.0.0" +port = "6432" +require_tls = "false" +shutdown_timeout = "2000" +worker_threads = "4" +thread_stack_size = "2097152" +cipher_cache_size = "64" +cipher_cache_ttl_seconds = "3600" + +[database] +host = "0.0.0.0" +port = "5432" +name = "database" +username = "username" +password = "password" +connection_timeout = "300000" +with_tls_verification = "false" +config_reload_interval = "60" +schema_reload_interval = "60" + +[tls] +certificate_path = "./server.crt" +private_key_path = "./server.key" + +[auth] +workspace_crn = "cipherstash-workspace-crn" +client_access_key = "cipherstash-client-access-key" + +[encrypt] +default_keyset_id = "cipherstash-keyset-id" +client_id = "cipherstash-client-id" +client_key = "cipherstash-client-key" + +[log] +level = "info" +format = "pretty" +output = "stdout" +ansi_enabled = "true" +slow_statements = "false" +slow_statement_min_duration_ms = "2000" +slow_db_response_min_duration_ms = "100" + +[prometheus] +enabled = "false" +port = "9930" +``` + +## Development settings + +Defaults are tuned for production. When running Proxy locally, override these for a better development experience. None of these settings are appropriate for production. + +Enable colored, human-readable logs: + +```bash +CS_LOG__FORMAT="pretty" +CS_LOG__ANSI_ENABLED="true" +``` + +Reduce reload intervals when iterating on your schema: + +```bash +CS_DATABASE__CONFIG_RELOAD_INTERVAL="10" +CS_DATABASE__SCHEMA_RELOAD_INTERVAL="10" +``` + +### Slow query logging + +Slow query logging identifies statements that take longer than expected: + +```bash +CS_LOG__SLOW_STATEMENTS="true" +``` + +By default, any statement taking longer than 2000 ms is flagged. Tune the thresholds to match your latency expectations: + +```bash +CS_LOG__SLOW_STATEMENT_MIN_DURATION_MS="500" # statement total time +CS_LOG__SLOW_DB_RESPONSE_MIN_DURATION_MS="200" # database round-trip only +``` + +When a slow statement is detected, Proxy emits a structured log line at the `SLOW_STATEMENTS` target. With `format = "pretty"`, it looks like: + +``` +WARN slow_statement duration_ms=620 query="SELECT * FROM users WHERE ..." +``` + +Use these lines to find queries that need indexes. A query that is unexpectedly slow is usually missing a functional index over the term extractor, or is passing an untyped operand. See [query performance](/reference/eql/indexes). + +To isolate slow-statement output in production, set `CS_LOG__SLOW_STATEMENTS_LEVEL=warn` while keeping the global level at `error`. + +## Docker-specific options + +These environment variables are only available in the Docker container image, not in the binary. + +| Env variable | Description | +|---|---| +| `CS_DATABASE__INSTALL_EQL` | Install EQL on container startup | +| `CS_DATABASE__INSTALL_EXAMPLE_SCHEMA` | Load the example schema on container startup | +| `CS_DATABASE__INSTALL_AWS_RDS_CERT_BUNDLE` | Add the AWS RDS certificate bundle for TLS verification | + + +`CS_DATABASE__INSTALL_EQL` and `CS_DATABASE__INSTALL_EXAMPLE_SCHEMA` are for development use only. Install EQL as a database migration in production. + + +## Per-target log levels + +Override the log level for specific internal components using the pattern `CS_LOG__{TARGET}_LEVEL`. These accept the same values as `CS_LOG__LEVEL`. + +| Env variable | Target | Description | +|---|---|---| +| `CS_LOG__DEVELOPMENT_LEVEL` | `DEVELOPMENT` | General development logging | +| `CS_LOG__AUTHENTICATION_LEVEL` | `AUTHENTICATION` | Client authentication and SASL | +| `CS_LOG__CONFIG_LEVEL` | `CONFIG` | Configuration loading | +| `CS_LOG__CONTEXT_LEVEL` | `CONTEXT` | Connection context | +| `CS_LOG__ENCODING_LEVEL` | `ENCODING` | Data encoding and decoding | +| `CS_LOG__ENCRYPT_LEVEL` | `ENCRYPT` | Encryption operations | +| `CS_LOG__DECRYPT_LEVEL` | `DECRYPT` | Decryption operations | +| `CS_LOG__ENCRYPT_CONFIG_LEVEL` | `ENCRYPT_CONFIG` | Encryption configuration loading | +| `CS_LOG__ZEROKMS_LEVEL` | `ZEROKMS` | ZeroKMS cipher initialization, cache, and connectivity | +| `CS_LOG__MIGRATE_LEVEL` | `MIGRATE` | Schema migration | +| `CS_LOG__PROTOCOL_LEVEL` | `PROTOCOL` | PostgreSQL wire protocol | +| `CS_LOG__MAPPER_LEVEL` | `MAPPER` | SQL statement mapping and transformation | +| `CS_LOG__SCHEMA_LEVEL` | `SCHEMA` | Database schema analysis | +| `CS_LOG__SLOW_STATEMENTS_LEVEL` | `SLOW_STATEMENTS` | Slow statement detection | + +## CLI reference + +```bash +cipherstash-proxy [OPTIONS] [DBNAME] [COMMAND] +``` + +### Commands + +| Command | Description | +|---|---| +| `encrypt` | Encrypt existing plaintext data in the database | +| `help` | Print help information | + +The `encrypt` command encrypts existing plaintext data in place. See [the encrypt tool](/stack/cipherstash/proxy/encrypt-tool). + +### Arguments and options + +| Flag | Default | Description | +|---|---|---| +| `DBNAME` | | Database name (positional, optional) | +| `-H, --db-host ` | `127.0.0.1` | Database host | +| `-u, --db-user ` | `postgres` | Database user | +| `-p, --config-file-path ` | `cipherstash-proxy.toml` | Path to the TOML config file | +| `-l, --log-level ` | `info` | Log level | +| `-f, --log-format ` | `pretty` (terminal), `structured` (non-terminal) | Log format | + +## Prometheus metrics + +Enable the exporter with `CS_PROMETHEUS__ENABLED=true`. Metrics are exposed on port `9930` by default. + +| Metric | Type | Description | +|---|---|---| +| `cipherstash_proxy_keyset_cipher_cache_hits_total` | Counter | Keyset-scoped cipher cache hits | +| `cipherstash_proxy_keyset_cipher_cache_miss_total` | Counter | Cipher cache misses requiring initialization | +| `cipherstash_proxy_keyset_cipher_init_total` | Counter | New keyset-scoped cipher initializations | +| `cipherstash_proxy_keyset_cipher_init_duration_seconds` | Histogram | Duration of cipher initialization, including ZeroKMS network call | +| `cipherstash_proxy_clients_active_connections` | Gauge | Current active client connections | +| `cipherstash_proxy_clients_bytes_received_total` | Counter | Bytes received from clients | +| `cipherstash_proxy_clients_bytes_sent_total` | Counter | Bytes sent to clients | +| `cipherstash_proxy_decrypted_values_total` | Counter | Individual values decrypted | +| `cipherstash_proxy_decryption_duration_seconds` | Histogram | Time spent performing decryption | +| `cipherstash_proxy_decryption_duration_seconds_count` | Counter | Number of decryption timing observations | +| `cipherstash_proxy_decryption_duration_seconds_sum` | Counter | Total cumulative decryption time | +| `cipherstash_proxy_decryption_error_total` | Counter | Unsuccessful decryption operations | +| `cipherstash_proxy_decryption_requests_total` | Counter | ZeroKMS decrypt requests | +| `cipherstash_proxy_encrypted_values_total` | Counter | Individual values encrypted | +| `cipherstash_proxy_encryption_duration_seconds` | Histogram | Time spent performing encryption | +| `cipherstash_proxy_encryption_duration_seconds_count` | Counter | Number of encryption timing observations | +| `cipherstash_proxy_encryption_duration_seconds_sum` | Counter | Total cumulative encryption time | +| `cipherstash_proxy_encryption_error_total` | Counter | Unsuccessful encryption operations | +| `cipherstash_proxy_encryption_requests_total` | Counter | ZeroKMS encrypt requests | +| `cipherstash_proxy_rows_encrypted_total` | Counter | Encrypted rows returned to clients | +| `cipherstash_proxy_rows_passthrough_total` | Counter | Non-encrypted rows returned to clients | +| `cipherstash_proxy_rows_total` | Counter | Total rows returned to clients | +| `cipherstash_proxy_server_bytes_received_total` | Counter | Bytes received from the PostgreSQL server | +| `cipherstash_proxy_server_bytes_sent_total` | Counter | Bytes sent to the PostgreSQL server | +| `cipherstash_proxy_statements_execution_duration_seconds` | Histogram | Database SQL execution time | +| `cipherstash_proxy_statements_session_duration_seconds` | Histogram | Total statement processing time (encrypt, execute, decrypt) | +| `cipherstash_proxy_statements_encrypted_total` | Counter | Statements requiring encryption | +| `cipherstash_proxy_statements_passthrough_total` | Counter | Statements not requiring encryption | +| `cipherstash_proxy_statements_total` | Counter | Total statements processed | +| `cipherstash_proxy_statements_unmappable_total` | Counter | Statements that could not be mapped | + +## Reloading configuration + +When Proxy receives a `SIGHUP`, it reloads application-level configuration (`database`, `auth`, `encrypt`, `log`, `prometheus`, `development`) without disrupting active connections. + +Network settings require a full restart: `server.host`, `server.port`, `server.require_tls`, `server.worker_threads`, and any `tls` configuration. + +## Supported architectures + +CipherStash Proxy is available as a Docker container image for `linux/arm64`. diff --git a/content/docs/reference/proxy/errors.mdx b/content/docs/reference/proxy/errors.mdx new file mode 100644 index 0000000..76c1e0d --- /dev/null +++ b/content/docs/reference/proxy/errors.mdx @@ -0,0 +1,217 @@ +--- +title: Errors +description: "Errors returned by CipherStash Proxy, grouped by category, with likely causes and steps to diagnose and resolve each one." +type: reference +components: [proxy] +--- + +Errors CipherStash Proxy can return, grouped by category, with steps to diagnose and resolve each one. + +## Authentication errors + +### Database authentication failed + +**Error:** `Database authentication failed. Check username and password` + +Proxy could not authenticate with the upstream PostgreSQL database. + +1. Check that the configured username and password are correct and can connect to the database. +2. Check that the database uses a supported authentication method: `password`, `md5`, or `scram-sha-256`. See [PostgreSQL password authentication](https://www.postgresql.org/docs/17/auth-password.html). + +### Client authentication failed + +**Error:** `Client authentication failed. Check username and password.` + +Proxy rejected the client connection because the credentials were incorrect. Check that the username and password your application sends match the values configured in Proxy. + +### ZeroKMS authentication failed + +**Error:** `ZeroKMS authentication failed. Check the configured credentials.` + +Proxy could not authenticate with ZeroKMS. + +1. Check that the configured `client` credentials are correct. +2. Check that the active `keyset_name` or `keyset_id` is associated with a keyset in the configured workspace. + +## Mapping errors + +### Invalid parameter + +**Error:** `Invalid parameter for column 'column_name' of type 'cast' in table 'table_name'. (OID 'oid')` + +Each encrypted column has a target type. When encrypting a parameter or literal, Proxy decodes and casts the data into that type. This error means the data cannot be decoded and cast to the expected type. + +Some parameter types are converted automatically. For example, PostgreSQL `INT2`, `INT4`, and `INT8` are converted to the corresponding encrypted integer types. + +Check that the parameter or literal matches the type of the encrypted column. See [core concepts](/reference/eql/core-concepts) for the variant model. + +### Invalid SQL statement + +**Error:** `sql parser error: Expected: SELECT, VALUES, or a subquery in the query body` (varies) + +Proxy could not parse the SQL statement. Check that the statement is valid PostgreSQL. If the statement is correct and the parser is wrong, contact [CipherStash support](https://cipherstash.com/support). + +### Unsupported parameter type + +**Error:** `Encryption of PostgreSQL {name} (OID {oid}) types is not currently supported.` + +The parameter's data type is not supported for encryption. See the [EQL type reference](/reference/eql/core-concepts) for the supported types. + +### Statement could not be type checked + +**Error:** `Statement could not be type checked: '{type-check-error-message}'` + +Proxy checks SQL statements against the database schema in order to transparently encrypt and decrypt data. The behaviour when a type check fails depends on the `mapping_errors_enabled` configuration: + +- When `mapping_errors_enabled` is `false` (default), the error is logged and the statement passes through to the database. +- When `mapping_errors_enabled` is `true`, the error is raised and statement execution halts. + +The default passes statements through because most production systems have a small number of encrypted columns, and blocking on false negatives causes more harm. A statement that passes through unmapped cannot silently write plaintext: the encrypted column's domain `CHECK` rejects any payload missing its required index terms, so the write fails with a PostgreSQL type error instead. See [core concepts](/reference/eql/core-concepts). + +Check that you are running the latest version of Proxy, and contact [CipherStash support](https://cipherstash.com/support) if the error persists. + +### Internal mapper error + +**Error:** `Statement encountered an internal error. This may be a bug in the statement mapping module of CipherStash Proxy.` + +An unexpected error occurred in the statement mapping module. Update to the latest version, and contact [CipherStash support](https://cipherstash.com/support) if the error persists. + +## Encrypt errors + +### Column could not be encrypted + +**Error:** `Column 'column_name' in table 'table_name' could not be encrypted.` + +Proxy uses ZeroKMS for encryption operations. The most likely cause is a network issue reaching the service. + +1. Check that ZeroKMS is available on the [status page](https://status.cipherstash.com/). +2. Check that Proxy has network access to ZeroKMS in the appropriate region. +3. Check that the column's encrypted type matches the data being written. + +### KeysetId could not be parsed + +**Error:** `KeysetId '{id}' could not be parsed using 'SET CIPHERSTASH.KEYSET_ID'. KeysetId should be a valid UUID.` + +The value passed to `SET CIPHERSTASH.KEYSET_ID` is not a valid UUID. The correct syntax is: + +```sql +SET [SESSION] CIPHERSTASH.KEYSET_ID { TO | = } '{KeysetId}' +``` + +### KeysetId could not be set + +**Error:** `Keyset Id could not be set using 'SET CIPHERSTASH.KEYSET_ID'` + +1. Check the syntax: the `keyset_id` value must be in single quotes. +2. Check that the `keyset_id` is a valid UUID. +3. Check that the value is a literal. PostgreSQL `SET` does not support parameterised queries. + +### KeysetName could not be set + +**Error:** `Keyset Name could not be set using 'SET CIPHERSTASH.KEYSET_NAME'` + +1. Check the syntax: the `keyset_name` value must be in single quotes. +2. Check that the value is a literal. PostgreSQL `SET` does not support parameterised queries. + +### Unknown keyset identifier + +**Error:** `Unknown keyset name or id '{keyset}'` + +Proxy could not find a keyset matching the name or ID. + +1. Check that the active `keyset_name` or `keyset_id` is associated with a keyset in the configured workspace. +2. Check that the configured `client` has been granted access to the keyset in the Dashboard. +3. Keyset names are case-sensitive. Check for an exact match. +4. Check that the configured `client` credentials are correct. + +### Could not decrypt data for keyset + +**Error:** `Could not decrypt data for keyset '{keyset_id}'` + +The active `keyset_id` does not match the `keyset_id` of the data being decrypted. Each encrypted record belongs to a keyset with a unique identifier, and Proxy encrypts data using the currently active keyset. If the record's keyset does not match the active one, the data cannot be decrypted. + +1. Check that the `keyset_id` in the configuration matches the `keyset_id` of the encrypted records. +2. If using `SET CIPHERSTASH.KEYSET_ID`, check that the value matches the encrypted records. +3. Check that the configured `client` has been granted access to the `keyset_id`. + +See [multitenant operation](/reference/proxy/multitenant) for per-connection keyset scoping. + +### Plaintext could not be encoded + +**Error:** `Decrypted column could not be encoded as the expected type.` + +When Proxy decrypts data, it casts and encodes the result as the PostgreSQL representation of the column's type. Changing an encrypted column's type after data has been written can cause this error. + +1. Check that the column has the correct encrypted type. +2. Check that the column type has not changed since the data was written. + +### Unknown column + +**Error:** `Column 'column_name' in table 'table_name' has no Encrypt configuration` + +Proxy has no encrypted-column mapping for this column. In EQL v3 a column's searchable capability is fixed by the [domain variant](/reference/eql/core-concepts) it is typed as, so a column Proxy cannot map is usually one that was never given an EQL type: + +```sql +ALTER TABLE users ALTER COLUMN email TYPE public.text_eq; +``` + +Proxy reloads the database schema on the interval set by `CS_DATABASE__SCHEMA_RELOAD_INTERVAL` (60 seconds by default), so a newly typed column may take up to that long to become mappable. + +### Unknown table + +**Error:** `Table 'table_name' has no Encrypt configuration` + +The table has no columns Proxy recognises as encrypted. Type at least one column with an EQL domain variant, as above. + +### Unknown index term + +**Error:** `Unknown Index Term for column '{column_name}' in table '{table_name}'.` + +The encrypted column carries an index term Proxy does not recognise. EQL validates payloads against the column's domain `CHECK`, but direct database writes can bypass the encryption client and store a malformed payload. + +Check the column's type and the payload's term keys against [core concepts](/reference/eql/core-concepts). + +### Column configuration mismatch + +**Error:** `Column configuration for column '{column_name}' in table '{table_name}' does not match the encrypted column.` + +Proxy validates that encrypted columns match their expected type before decrypting. This check prevents confused deputy attacks and should not appear during normal operation. Contact [CipherStash support](https://cipherstash.com/support) if it persists. + +## Decrypt errors + +### Column could not be deserialised + +**Error:** `Column 'column_name' in table 'table_name' could not be deserialised.` + +Proxy stores encrypted data and search terms as `jsonb`. This error indicates an internal issue deserialising and extracting the ciphertext for decryption. It can occur if the encrypted data has been altered by another process. + +Check that the data in the encrypted column is a well-formed EQL payload. See [payload anatomy](/reference/eql/core-concepts). Contact [CipherStash support](https://cipherstash.com/support) if the error persists. + +## Configuration errors + +### Missing or invalid TLS configuration + +**Errors:** + +``` +Invalid Transport Layer Security (TLS) certificate. +Invalid Transport Layer Security (TLS) private key. +Missing Transport Layer Security (TLS) certificate at path: {path}. +Missing Transport Layer Security (TLS) private key at path: {path}. +``` + +For path-based configuration, check that the certificate and key exist at the specified paths and are valid. For PEM-based configuration, check that the certificate and key values are valid. See [TLS configuration](/reference/proxy/configuration). + +### Network configuration change requires restart + +**Error:** `Network configuration change requires restart` + +When Proxy receives a `SIGHUP`, it reloads application-level configuration without disrupting active connections. These network settings require a full restart: + +- `server.host` +- `server.port` +- `server.require_tls` +- `server.worker_threads` +- `tls` (any TLS configuration) + +Stop Proxy, update the configuration, then restart. diff --git a/content/docs/reference/proxy/index.mdx b/content/docs/reference/proxy/index.mdx new file mode 100644 index 0000000..f468666 --- /dev/null +++ b/content/docs/reference/proxy/index.mdx @@ -0,0 +1,22 @@ +--- +title: Proxy +description: "Configuration, message flow, multitenant operation, and error reference for CipherStash Proxy." +type: reference +components: [proxy] +--- + +CipherStash Proxy sits between your application and PostgreSQL, encrypting query parameters on the way in and decrypting results on the way out. Your application connects to Proxy exactly as it connects to PostgreSQL, so adopting encryption needs no application changes. + +Proxy speaks the PostgreSQL wire protocol (it is based on [pgcat](https://github.com/pgcat/pgcat)) and is distributed as a [container image](https://hub.docker.com/r/cipherstash/proxy) on Docker Hub. It is an [EQL](/reference/eql) client: it produces the encrypted payloads EQL stores, and types the bound parameters EQL's operators resolve against. + +## In this section + +- [Configuration](/reference/proxy/configuration) covers installation, the TOML and environment-variable options, logging, Prometheus metrics, and the CLI. +- [Message flow](/reference/proxy/message-flow) explains how Proxy intercepts the extended query protocol, for debugging unmappable statements. +- [Multitenant operation](/reference/proxy/multitenant) covers per-connection keyset scoping and encrypted mapping. +- [Errors](/reference/proxy/errors) lists the errors Proxy returns, with causes and remediation. + +## Related + +- [EQL reference](/reference/eql) for the database-side surface Proxy queries against. +- [Stack SDK](/reference/stack) for the application-level alternative to Proxy. diff --git a/content/docs/reference/proxy/message-flow.mdx b/content/docs/reference/proxy/message-flow.mdx new file mode 100644 index 0000000..896dc44 --- /dev/null +++ b/content/docs/reference/proxy/message-flow.mdx @@ -0,0 +1,83 @@ +--- +title: Message flow +description: "How CipherStash Proxy handles PostgreSQL Parse and Bind messages to transparently encrypt and decrypt query parameters." +type: reference +components: [proxy] +--- + +This page explains the internal message handling flow, for advanced users debugging unmappable statements or unexpected Proxy behaviour. CipherStash Proxy sits between your application and PostgreSQL and intercepts the PostgreSQL extended query protocol. It encrypts parameters before they reach the database and decrypts values before they reach your application. + +## Extended query protocol overview + +The PostgreSQL extended query protocol uses a sequence of messages to execute parameterised queries. The two most relevant messages for encryption are: + +- **Parse**: the client sends a SQL statement with parameter placeholders (`$1`, `$2`, and so on). Proxy inspects the statement and maps column references to their encrypted column types. +- **Bind**: the client sends parameter values to bind to a prepared statement. If Proxy recognised the statement during Parse, it encrypts the parameters here before forwarding them. + +Binding a parameter is also what types it. EQL's encrypted operators only resolve against a typed operand, so the Bind step is what makes an index-backed query possible. See [typed operands](/reference/eql/core-concepts) for why. + +## Parse flow + +When Proxy receives a Parse message, it determines whether the SQL statement references encrypted columns. + +![Parse message flow diagram](/images/proxy/parse.svg) + +1. Proxy checks whether the statement is encryptable, that is, whether it references at least one encrypted column. +2. If it is encryptable, Proxy maps the column references to their encrypted column types. +3. If the statement includes literal parameter values, Proxy rewrites them as encrypted values immediately. +4. Proxy adds the statement and its column mapping to the connection context for use during Bind. +5. Proxy forwards the (possibly rewritten) Parse message to PostgreSQL. + +If the statement is not encryptable, Proxy forwards it unchanged. + +## Bind flow + +When Proxy receives a Bind message, it looks up the corresponding statement in the connection context. + +![Bind message flow diagram](/images/proxy/bind.svg) + +1. Proxy checks whether the statement that this Bind message references is in the context, that is, whether it was processed during Parse. +2. If it is, Proxy encrypts each parameter value according to the column mapping recorded during Parse. +3. Proxy rewrites the parameter values in the Bind message with the encrypted payloads. +4. Proxy creates a portal for the bound statement and adds it to the context. +5. Proxy forwards the rewritten Bind message to PostgreSQL. + +If the statement is not in context, Proxy creates a portal without encryption and forwards it unchanged. + +## Pipelining + +PostgreSQL supports pipelining: the client can send multiple messages without waiting for responses. Proxy must track Describe and Execute messages to correlate server responses with the right statements or portals, since responses arrive in order but may interleave. + +``` + Sequential Pipelined +| Client | Server | | Client | Server | +|----------------|-----------------| |----------------|-----------------| +| send query 1 | | | send query 1 | | +| | process query 1 | | send query 2 | process query 1 | +| receive rows 1 | | | send query 3 | process query 2 | +| send query 2 | | | receive rows 1 | process query 3 | +| | process query 2 | | receive rows 2 | | +| receive rows 2 | | | receive rows 3 | | +``` + +The PostgreSQL server always processes queries in sequential order, even when pipelined. Proxy preserves this ordering when encrypting parameters and decrypting results. + +## Unmappable statements + +Some statements cannot be mapped to an encrypted column. This happens when: + +- The statement uses a function or expression that obscures the column reference, for example `CAST(email AS text)`. +- The column is referenced through a view, subquery, or CTE that Proxy cannot resolve. +- The statement uses a SQL feature Proxy does not yet parse, for example certain `COPY` forms. + +When a statement is unmappable, Proxy forwards it to PostgreSQL unmodified. No encryption or decryption occurs. The `cipherstash_proxy_statements_unmappable_total` Prometheus metric tracks how often this happens. Set `CS_LOG__MAPPER_LEVEL=debug` to see which statements are unmappable and why. + + +An unmappable `SELECT` returns the raw encrypted payload rather than plaintext. An unmappable `INSERT` or `UPDATE` fails the encrypted column's domain `CHECK` rather than writing plaintext, so a mapping failure never silently stores unencrypted data. + + +## Related + +- [Proxy configuration](/reference/proxy/configuration) for `CS_LOG__MAPPER_LEVEL` and the Prometheus metrics. +- [Proxy errors](/reference/proxy/errors) for the errors raised when mapping or type checking fails. +- [EQL core concepts](/reference/eql/core-concepts) for the typed-operand rule and the domain `CHECK`. diff --git a/content/docs/reference/proxy/meta.json b/content/docs/reference/proxy/meta.json new file mode 100644 index 0000000..7d70335 --- /dev/null +++ b/content/docs/reference/proxy/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Proxy", + "pages": ["index", "configuration", "message-flow", "multitenant", "errors"] +} diff --git a/content/docs/reference/proxy/multitenant.mdx b/content/docs/reference/proxy/multitenant.mdx new file mode 100644 index 0000000..9a7c2e8 --- /dev/null +++ b/content/docs/reference/proxy/multitenant.mdx @@ -0,0 +1,77 @@ +--- +title: Multitenant operation +description: "Scope CipherStash Proxy connections to tenant-specific keysets and manage encrypted mapping at runtime." +type: reference +components: [proxy, platform] +--- + +CipherStash Proxy supports multitenant applications using ZeroKMS keysets, giving strong cryptographic separation between tenants. + +Each tenant is associated with a keyset, and data is protected by separate encryption keys. Scope a Proxy connection to a specific keyset at runtime with the `SET CIPHERSTASH.KEYSET` commands. Once a keyset is set for a connection, all subsequent operations are scoped to it, and data can only be decrypted by the keyset that encrypted it. + +A keyset `name` is unique to a workspace and functions as an alias, so you can associate a keyset with an arbitrary identifier such as an internal `TenantId`. + + +Proxy must be configured **without** a `CS_DEFAULT_KEYSET_ID` to enable multitenant operation. If a default keyset is configured, the `SET CIPHERSTASH.KEYSET` commands return an error. + + +## Keyset commands + +### SET CIPHERSTASH.KEYSET_ID + +Sets the active keyset for the current connection using a keyset UUID. + +```sql +SET CIPHERSTASH.KEYSET_ID = '2cace9db-3a2a-4b46-a184-ba412b3e0730'; +``` + +### SET CIPHERSTASH.KEYSET_NAME + +Sets the active keyset for the current connection using a keyset name. + +```sql +SET CIPHERSTASH.KEYSET_NAME = 'tenant-1'; +``` + +### Usage notes + +- Execute `SET CIPHERSTASH.KEYSET` before performing any encryption operations. +- The keyset remains active for the duration of the connection, or until a subsequent `SET CIPHERSTASH.KEYSET` command. +- The active keyset is connection-scoped and does not affect other connections. +- Both commands take a literal value in single quotes. PostgreSQL `SET` does not support parameterised queries. + +Joining encrypted columns across two keysets does not work, because equality is only meaningful within a keyset. See [joins](/reference/eql/joins) for the same-keyset constraint. + +## Disabling encrypted mapping + +CipherStash Proxy transforms the plaintext SQL statements your application issues into statements on encrypted columns. This process is called encrypted mapping. + +In some circumstances you may need to disable encrypted mapping for one or more SQL statements, for example when performing a data transformation with complex logic directly in the database using `plpgsql`. + +Use `SET` to change the `CIPHERSTASH.UNSAFE_DISABLE_MAPPING` configuration parameter. It is always scoped to the connection session. + +```sql +SET CIPHERSTASH.UNSAFE_DISABLE_MAPPING = true; -- disable +SET CIPHERSTASH.UNSAFE_DISABLE_MAPPING = false; -- re-enable +``` + + +If mapping is disabled, sensitive data may not be encrypted and may appear in logs. + + +Proxy and EQL together give some protection against reading or writing plaintext in encrypted columns. An unmapped `SELECT` returns the encrypted payload rather than plaintext. An unmapped `INSERT` or `UPDATE` fails the encrypted column's domain `CHECK` with a PostgreSQL type error, because every EQL domain variant requires its index terms to be present in the payload. See [core concepts](/reference/eql/core-concepts) for the variant model. + +## Prepared statements and mapping + +CipherStash Proxy only decrypts data from SQL statements it has explicitly checked and mapped. + +If mapping is disabled, any subsequent `PREPARE` skips the mapping process. If mapping is re-enabled later, data returned from those prepared statements is still not decrypted. + +To restore mapping, encryption, and decryption of prepared statements, either open a new connection or prepare the statement again after re-enabling mapping. + +This behaviour is expected. When a client prepares a statement, it sends the SQL in a `parse` message. Once prepared, the client refers to the statement by name and skips the `parse` step. If mapping was disabled during `parse`, Proxy never mapped the statement, so data returned from subsequent executions is never decrypted. See [message flow](/reference/proxy/message-flow). + +## Related + +- [Keysets](/stack/cipherstash/kms/keysets) for the cryptographic isolation model. +- [Proxy configuration](/reference/proxy/configuration) for `CS_DEFAULT_KEYSET_ID`. diff --git a/content/docs/reference/stack/index.mdx b/content/docs/reference/stack/index.mdx new file mode 100644 index 0000000..edac1c3 --- /dev/null +++ b/content/docs/reference/stack/index.mdx @@ -0,0 +1,8 @@ +--- +title: Stack SDK +description: "Stack SDK documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/reference/stack/meta.json b/content/docs/reference/stack/meta.json new file mode 100644 index 0000000..d0f86af --- /dev/null +++ b/content/docs/reference/stack/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Stack SDK", + "pages": ["..."] +} diff --git a/content/docs/reference/workspace/billing.mdx b/content/docs/reference/workspace/billing.mdx new file mode 100644 index 0000000..4079457 --- /dev/null +++ b/content/docs/reference/workspace/billing.mdx @@ -0,0 +1,36 @@ +--- +title: Billing +description: "How CipherStash per-workspace billing works, including plans, upgrades, downgrades, and Stripe." +type: reference +components: [platform] +audience: [cto] +reviewBy: "2027-01-09" +--- + +CipherStash uses a **per-workspace billing model**. Each workspace has its own plan and usage limits. Organizations and team members are always free and unlimited. + +## Plans + +Each workspace is on a plan. Plans differ in their usage limits and in which features they unlock, such as keyset isolation and [lock contexts](/stack/cipherstash/encryption/identity). See [pricing](https://cipherstash.com/pricing) for the current plans, their prices, and their limits. + +Enterprise is an organization-level plan with custom pricing and dedicated support. Enterprise organizations bypass per-workspace billing entirely. Contact [sales@cipherstash.com](mailto:sales@cipherstash.com). + +## Managing workspace billing + +Each workspace has a billing page reachable from the workspace sidebar in the [Dashboard](https://dashboard.cipherstash.com). From there you can view your current plan and usage metrics, upgrade or downgrade, cancel your subscription, and open the Stripe billing portal for payment methods and invoices. + +## How billing works + +- **One Stripe customer per organization.** All workspaces in your organization share the same Stripe customer. +- **One subscription per workspace.** Each workspace has its own Stripe subscription tied to its plan. +- **Proration on upgrades.** Upgrading mid-cycle charges a prorated amount for the remainder of the billing period. +- **Downgrades at period end.** Downgrading takes effect at the end of the current billing period. +- **Cancellation.** Canceling keeps the plan active until the end of the billing period, then reverts to Free. + +## Enterprise and AWS Marketplace + +Organizations on Enterprise plans or subscribed through AWS Marketplace have billing managed at the organization level, and all their workspaces have unlimited access to all features. Manage enterprise billing from the Organization Profile. + +## Need help? + +Contact [support@cipherstash.com](mailto:support@cipherstash.com) for billing questions. diff --git a/content/docs/reference/workspace/configuration.mdx b/content/docs/reference/workspace/configuration.mdx new file mode 100644 index 0000000..87d6622 --- /dev/null +++ b/content/docs/reference/workspace/configuration.mdx @@ -0,0 +1,55 @@ +--- +title: Configuration +description: "Configure a CipherStash workspace for local development and production: the workspace CRN, client and access keys, and keyset selection." +type: reference +components: [platform, encryption] +--- + +A workspace is identified by its **CRN** and accessed with a **client key** and an **access key**. How those credentials reach your application differs between local development and production. + +## Local development + +For local development, credentials are handled automatically by device-based authentication. Run `stash init` to set up your device: + +```bash cta cta-type="quickstart" example-id="stash-init-workspace" +npx stash init +``` + +This creates a device-backed client key with access to the workspace's default keyset. No environment variables are needed. + +## Production credentials + +In production and CI/CD, a workspace is configured with explicit credentials: + +| Credential | Description | +|---|---| +| Workspace CRN | Identifies your workspace and its region, for example `crn:ap-southeast-2.aws:your-workspace-id` | +| Client ID | Identifies your application client key | +| Client key | Your half of the dual-party key split | +| Access key | Authenticates API calls to CipherStash | + +These are the same credentials the [Stack SDK](/reference/stack) and [Proxy](/reference/proxy/configuration) consume. For the full set of environment variables and programmatic options, see the [Stack SDK configuration reference](/reference/stack). + +See [going to production](/stack/deploy/going-to-production) for a step-by-step guide to generating them. + +## Keysets + +A workspace can hold many keysets. Data encrypted under one keyset cannot be decrypted with another, which is what makes keysets the boundary for tenant isolation, environment separation, and regional compliance. + +To use a specific keyset, pass the `keyset` option when constructing the client: + +```typescript filename="keyset-config.ts" +const client = await Encryption({ + schemas: [users], + config: { + keyset: { name: "tenant-a" }, + }, +}) +``` + +Proxy scopes keysets per connection instead. See [multitenant operation](/reference/proxy/multitenant). + +## Related + +- [Keysets](/stack/cipherstash/kms/keysets) for the isolation model. +- [Billing](/reference/workspace/billing) for the plans and how per-workspace billing works. diff --git a/content/docs/reference/workspace/index.mdx b/content/docs/reference/workspace/index.mdx new file mode 100644 index 0000000..d4414b5 --- /dev/null +++ b/content/docs/reference/workspace/index.mdx @@ -0,0 +1,21 @@ +--- +title: Workspace & account +description: "Workspace configuration, organization and workspace members, and per-workspace billing." +type: reference +components: [platform] +--- + +A **workspace** is the unit of isolation and billing in CipherStash. It holds your keysets, clients, access keys, and configuration. Workspaces belong to an **organization**, which owns the member list and the billing relationship. + +Use workspaces to separate environments (development from production), to scope access for a team, or to associate a custom identity provider. + +## In this section + +- [Configuration](/reference/workspace/configuration) covers workspace credentials, the workspace CRN, and keyset selection. +- [Members](/reference/workspace/members) covers organization and workspace membership, and developer device onboarding. +- [Billing](/reference/workspace/billing) covers the per-workspace billing model, and how upgrades and downgrades work. + +## Related + +- [Access keys](/stack/cipherstash/kms/access-keys) for the credentials that authenticate to ZeroKMS and CTS. +- [Glossary](/reference/glossary) for the difference between a workspace, a keyset, a client key, and a device. diff --git a/content/docs/reference/workspace/members.mdx b/content/docs/reference/workspace/members.mdx new file mode 100644 index 0000000..2e11803 --- /dev/null +++ b/content/docs/reference/workspace/members.mdx @@ -0,0 +1,32 @@ +--- +title: Members +description: "Manage CipherStash organization members and workspace memberships, and onboard developer devices for local development." +type: reference +components: [platform] +--- + +There are two types of membership in CipherStash: organization memberships and workspace memberships. Every user belongs to at least one organization, and can be invited to any number of workspaces inside that organization. + +## Organization memberships + +Organization memberships control which users have access to CipherStash in general. Once a user is added to an organization, they can be granted access to any number of workspaces inside it. + +Add a member from **Members** in the Dashboard's organization sidebar. + +## Workspace memberships + +Workspace memberships control which users have access to a specific workspace. Once a user is added to a workspace, they have full access to managing it, including creating and managing keysets, clients, and access keys. + +Add a member from the [workspace settings](https://dashboard.cipherstash.com/workspaces/_/settings) page in the Dashboard. + +## Developer device onboarding + +After a member is added to an organization and granted workspace access, they initialize their local development environment: + +```bash cta cta-type="quickstart" example-id="stash-init-member" +npx stash init +``` + +This creates a unique [device](/reference/glossary#device) and [client key](/reference/glossary#client-key) for that developer, with automatic access to the default [keyset](/reference/glossary#keyset). No environment variables are needed for local development. + +See [team onboarding](/stack/deploy/team-onboarding) for the full workflow. diff --git a/content/docs/reference/workspace/meta.json b/content/docs/reference/workspace/meta.json new file mode 100644 index 0000000..caec042 --- /dev/null +++ b/content/docs/reference/workspace/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Workspace & account", + "pages": ["index", "configuration", "members", "billing"] +} diff --git a/content/docs/security/compliance/index.mdx b/content/docs/security/compliance/index.mdx new file mode 100644 index 0000000..9af190d --- /dev/null +++ b/content/docs/security/compliance/index.mdx @@ -0,0 +1,8 @@ +--- +title: Compliance +description: "Compliance documentation β€” being built as part of the docs V2 overhaul." +--- + +This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md). + +Until it lands, current documentation lives in the [existing docs](/stack). diff --git a/content/docs/security/compliance/meta.json b/content/docs/security/compliance/meta.json new file mode 100644 index 0000000..e7c6fa5 --- /dev/null +++ b/content/docs/security/compliance/meta.json @@ -0,0 +1,4 @@ +{ + "title": "Compliance", + "pages": ["..."] +} diff --git a/content/docs/security/cryptography.mdx b/content/docs/security/cryptography.mdx new file mode 100644 index 0000000..19db2c0 --- /dev/null +++ b/content/docs/security/cryptography.mdx @@ -0,0 +1,181 @@ +--- +title: Cryptography +description: "The canonical account of CipherStash's cryptographic design: the key hierarchy, what ZeroKMS does and does not learn, and what is cached." +type: concept +components: [platform] +audience: [ciso, cto] +reviewBy: "2027-01-09" +--- + +This page is the single reference for CipherStash's cryptographic design. Every other page that touches key management links here rather than restating it. + +## Cryptographic primitives + +| Purpose | Algorithm | Details | +|---|---|---| +| Data encryption | AES-256-GCM-SIV | Authenticated encryption with nonce-misuse resistance | +| Equality search terms | HMAC-SHA-256 | Deterministic terms for exact-match lookups | +| Range and sorting terms | Block ORE | Order-revealing encryption ([Lewi-Wu 2016](https://eprint.iacr.org/2016/612)), with enhancements from [Bogatov et al. 2018](https://arxiv.org/abs/1810.05135) | +| Free-text search terms | Encrypted Bloom filters | Trigram tokenization ([Nojima/Kadobayashi 2009](https://link.springer.com/chapter/10.1007/978-3-642-04474-8_17), [Chum/Zhang 2017](https://link.springer.com/chapter/10.1007/978-3-319-66399-9_15)) | +| Payload integrity | BLAKE3 | Structure validation of the encrypted payload | +| Payload encoding | MessagePack + Base85 | Compact binary serialization, stored as `jsonb` in PostgreSQL | + +Encryption and decryption happen in your application process, in the native Rust module. CipherStash infrastructure never sees plaintext. + +## The key hierarchy + +Three distinct things are often all called "the key". Keeping them apart is what makes the rest of this page readable. + +| Key | Where it lives | What protects it | +|---|---|---| +| **Authority key** | ZeroKMS, server-side | Encrypted at rest under an AWS KMS root key | +| **Client key** | Your application or workload | You do (`CS_CLIENT_KEY`) | +| **Data key** | Your application's memory, briefly | Nothing. It is derived per value, identified by a key ID, and discarded | + +The authority key and the client key are two halves of a split. Neither alone derives a data key, and the two are never brought together in one place. The key seed travels from ZeroKMS to you. The client key never travels at all. + +## How a data key is produced + +The mechanism operates at two layers, and descriptions that name only one of them are incomplete. + +### Layer 1: the key seed, produced server-side + +Your application requests a key seed by sending a **key ID**. ZeroKMS uses **proxy symmetric re-encryption** (patent pending) on the authority key to produce the **key seed** for that ID, and returns it. + +The ID is what gives every data key a unique identity. It travels with the encrypted value, so the same seed can be requested again to decrypt it. + +ZeroKMS does all of this without the client key. It never receives it, and the request carries no key material of yours, only the ID. That is what makes the architecture zero-knowledge: ZeroKMS produces a seed it cannot itself turn into a data key. + +### Layer 2: the data key, derived client-side + +Your application **processes the key seed with the client key**, then expands the result into a **unique data key per value** using an **HMAC-based key derivation function**. The data key encrypts the value with AES-256-GCM-SIV, then is discarded from memory. + +The client key never leaves your infrastructure, and neither does anything it processes. Only the seed crosses the boundary, and it crosses inward. + +```mermaid +flowchart TD + subgraph zerokms["ZeroKMS (CipherStash)"] + root["AWS KMS root key"] + auth["Authority key"] + seed["Key seed"] + root -. encrypts at rest .-> auth + auth -- "layer 1:
proxy symmetric re-encryption" --> seed + end + + subgraph you["Your infrastructure"] + keyid["Key ID
unique per data key"] + client["Client key
never leaves"] + processed["Processed seed"] + datakey["Data key
one per value
discarded after use"] + ciphertext["Ciphertext"] + client -- processes the seed --> processed + processed -- "layer 2:
HMAC-based KDF" --> datakey + datakey -- AES-256-GCM-SIV --> ciphertext + end + + keyid -- "requests a seed
(no key material)" --> auth + seed -- returned to your app --> processed +``` + +Re-encryption describes how the seed is produced. HMAC key derivation describes how the processed seed becomes per-value keys. Both are true, at different layers. + +Note what crosses the boundary. Outbound: a key ID, which is not key material. Inbound: the key seed. Nothing else leaves your infrastructure, not the client key, not the processed seed, not the data key. + +## What is cached, and what is not + + +This distinction matters for a security review, and earlier documentation stated it too broadly. "Nothing is cached" is not accurate. What is true is that **no data key is ever cached, stored, or transmitted.** + + +| Thing | Cached? | Detail | +|---|---|---| +| Data keys | Never | Derived per value, held in memory for the duration of one operation, then discarded | +| Key seeds | Not persisted | Held only for the operation that requested them | +| Keyset-scoped ciphers | **Yes, in Proxy** | [CipherStash Proxy](/reference/proxy/configuration) caches keyset-scoped cipher objects so it does not re-initialize per statement | +| Authority keys | At rest, in ZeroKMS | Encrypted under an AWS KMS root key | + +Proxy's cipher cache is bounded by `cipher_cache_size` (64 entries) and `cipher_cache_ttl_seconds` (3600 seconds), and its hit rate is exposed as `cipherstash_proxy_keyset_cipher_cache_hits_total`. Caching a keyset-scoped cipher is not the same as caching a data key: the cipher still requires the client key to derive anything, and per-value keys are still derived per value. + +The Stack SDK derives per operation and caches nothing. + +## Trust model + +An attacker must compromise **both** the ZeroKMS authority key and your client key to derive data keys. Compromising either alone is insufficient. + +- CipherStash never sees plaintext. Encryption and decryption run in your process. +- CipherStash never sees your client key, nor anything the client key has processed. +- CipherStash never sees a data key. Data keys are derived in your memory. +- Ciphertext never has to leave your infrastructure. ZeroKMS handles key material, not data. + +### Shared responsibility + +| You | CipherStash | +|---|---| +| Protect the client key (`CS_CLIENT_KEY`) | Protect authority keys, encrypted at rest under AWS KMS | +| Secure your application and database | Operate ZeroKMS with high availability | +| Manage access keys and keysets | Enforce access-control policy on keysets | +| Register identity providers for lock contexts | Operate the CipherStash Token Service (CTS) | +| Store encrypted data in your database | Never store, access, or log plaintext | + +### Blast radius + +[Keysets](/stack/cipherstash/kms/keysets) scope keys. Each keyset is a full cryptographic boundary: one tenant's keyset cannot decrypt another's data. Compromising a client key affects only the keysets that application can reach, and revoking its access key stops further key derivation immediately. + +## Data flow + +### Write path + +1. The application calls `client.encrypt(plaintext, { column, table })`. +2. The SDK requests a key seed from ZeroKMS over TLS, sending a unique key ID. The request carries no key material. +3. ZeroKMS re-encrypts under the authority key and returns the key seed for that ID. +4. The SDK processes the seed with the client key, then derives the data key from the result, locally. +5. The SDK encrypts the plaintext with AES-256-GCM-SIV. +6. If the column declares searchable capability, the SDK generates the index terms (HMAC, ORE, Bloom filter). +7. The SDK packs ciphertext and index terms into an [EQL payload](/reference/eql/core-concepts). +8. The data key is discarded. +9. The application stores the payload in PostgreSQL. + +### Read path + +1. The application reads the payload and calls `client.decrypt(...)`. +2. The SDK requests a key seed using the key ID stored with the value, processes it with the client key, and derives the data key locally. +3. The SDK decrypts the ciphertext, discards the data key, and returns plaintext. + +### Query path + +1. The application encrypts a search term. +2. The SDK generates the appropriate index term (HMAC for equality, ORE for range and ordering, Bloom filter for free text). +3. PostgreSQL compares encrypted terms using [EQL](/reference/eql) operators. The database never sees plaintext. + +## What querying encrypted data reveals + +Searchable encryption is a trade. Each index term reveals bounded information to whoever can read the database: HMAC terms reveal equality and therefore frequency, ORE terms reveal relative order, and Bloom filter terms reveal probabilistic token membership. + +That leakage model is documented once, in [Searchable encryption](/concepts/searchable-encryption), with per-term detail and guidance on when the trade is not worth making. Assess it as part of your threat model. If the ordering or frequency of a column's values is itself sensitive, encrypt that column without a searchable index and filter after decryption. + +## Network security + +All communication between the SDK and CipherStash services uses TLS 1.2 or later: + +- SDK to ZeroKMS, for key seeds. +- SDK to CTS, for token exchange during identity-aware encryption. +- SDK to your database: your existing connection. CipherStash does not proxy it. + +Key material does not leave the region your workspace is configured in. See [regions](/stack/cipherstash/kms/regions). + +## Open-source components + +| Component | Repository | +|---|---| +| EQL | [cipherstash/encrypt-query-language](https://github.com/cipherstash/encrypt-query-language) | +| ORE implementation | [cipherstash/ore.rs](https://github.com/cipherstash/ore.rs) | +| CipherStash Proxy | [cipherstash/proxy](https://github.com/cipherstash/proxy) | + +The core cryptographic implementations are open source and independently auditable. ZeroKMS is a managed service operated by CipherStash. + +## Related + +- [Searchable encryption](/concepts/searchable-encryption) for the canonical index-term leakage model. +- [Keysets](/stack/cipherstash/kms/keysets) for the isolation boundary. +- [Proxy configuration](/reference/proxy/configuration) for the cipher cache settings. +- [Provable access control](/solutions/provable-access) for binding decryption to an authenticated identity. diff --git a/content/docs/security/index.mdx b/content/docs/security/index.mdx new file mode 100644 index 0000000..9a8e230 --- /dev/null +++ b/content/docs/security/index.mdx @@ -0,0 +1,21 @@ +--- +title: Architecture & security +navTitle: Overview +description: "Trust model, cryptographic design, availability, audit, and compliance, written to be read end to end during a vendor security review." +type: concept +audience: [ciso, cto] +--- + +This section is written to be self-contained. A security team should be able to assess CipherStash from these pages without piecing the story together from reference material elsewhere. + +Start with [Cryptography](/security/cryptography). It is the canonical account of the cryptographic design: the key hierarchy, what ZeroKMS learns and does not learn, and what is cached. Every other page that touches key management links to it rather than restating it. + +## In this section + +- [Cryptography](/security/cryptography) covers the primitives, the key hierarchy, the trust model, and the data flow. +- [Compliance](/security/compliance) maps CipherStash onto specific frameworks. + +## Related + +- [Searchable encryption](/concepts/searchable-encryption) is the canonical account of what each index term reveals to the database. +- [Provable access control](/solutions/provable-access) covers binding decryption to an authenticated identity. diff --git a/content/docs/security/meta.json b/content/docs/security/meta.json new file mode 100644 index 0000000..ea315bc --- /dev/null +++ b/content/docs/security/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Architecture & security", + "icon": "Shield", + "pages": ["index", "cryptography", "...", "compliance"] +} diff --git a/content/docs/solutions/data-residency.mdx b/content/docs/solutions/data-residency.mdx new file mode 100644 index 0000000..74effb9 --- /dev/null +++ b/content/docs/solutions/data-residency.mdx @@ -0,0 +1,133 @@ +--- +title: Data residency +description: "Meet data residency rules with regional ZeroKMS deployment, a dual-party key split, and multi-region patterns for cross-border access." +type: concept +components: [platform, encryption] +audience: [cto, ciso] +verifiedAgainst: + stack: "0.18.0" +--- + +CipherStash provides data residency guarantees through regional key management, encryption that happens entirely in your infrastructure, and cryptographic key splitting. This page covers the deployment patterns for organizations with cross-border data requirements. + +## Why the architecture gives you residency + +Three properties combine to keep data and key material inside a region: + +- **Plaintext never leaves your systems.** Encryption and decryption happen in your infrastructure, in the Stack SDK or Proxy. The cloud service never sees plaintext. +- **Encrypted values never leave your systems either.** Ciphertext lives in your database. +- **Data keys are never transmitted.** They are derived locally, not fetched over the network. + +## Regional ZeroKMS deployment + +ZeroKMS is deployed on AWS only. A workspace is tied to one region, and its region identifier forms part of the workspace CRN (`crn:ap-southeast-2.aws:your-workspace-id`). + + + +Selecting a ZeroKMS region controls where authority keys are managed. Combined with your application's deployment region, that determines where all key material exists. + +Need a region that is not listed? Contact [support@cipherstash.com](mailto:support@cipherstash.com). See the [regions reference](/stack/cipherstash/kms/regions) for more. + +## Dual-party key split + +CipherStash splits key material between two parties: + +1. **Authority key**, managed by ZeroKMS in your chosen region. +2. **Client key**, managed by your application in your infrastructure. + +Neither key alone derives a data key. ZeroKMS alone cannot access your data, because it holds only half the key material. Your application alone cannot either, because it needs a key seed from ZeroKMS. + +The two halves are never brought together in one place. ZeroKMS returns a key seed; your application processes that seed with the client key and derives the data key locally. The client key never leaves your infrastructure, and neither does anything it processes. See [cryptography](/security/cryptography). + +## Deployment patterns + +### Single region + +Deploy your application and ZeroKMS in the same region. + +```mermaid +flowchart TB + subgraph region["Region: eu-central-1.aws"] + app["Your app
+ client key"] + zerokms["ZeroKMS
+ authority key"] + db[("PostgreSQL
encrypted")] + app <-- key seed --> zerokms + app -- ciphertext --> db + end +``` + +All key material and data remain in one region. This satisfies most data residency requirements, including GDPR and regional data protection laws. + +### Multi-region with regional key isolation + +For organizations operating across regions with differing requirements, deploy a separate workspace per region. + +```mermaid +flowchart LR + subgraph eu["Region: eu-central-1.aws"] + euApp["App
+ client key"] + euKms["ZeroKMS (EU)"] + euDb[("PostgreSQL (EU)")] + euApp <-- key seed --> euKms + euApp -- ciphertext --> euDb + end + + subgraph apac["Region: ap-southeast-2.aws"] + apacApp["App
+ client key"] + apacKms["ZeroKMS (APAC)"] + apacDb[("PostgreSQL (APAC)")] + apacApp <-- key seed --> apacKms + apacApp -- ciphertext --> apacDb + end + + euDb -. "cannot be decrypted by" .-x apacApp +``` + +Each region gets its own ZeroKMS workspace with independent authority keys, its own client key (which, like every client key, never leaves your infrastructure), and its own database. Data encrypted in one region cannot be decrypted in another, which enforces the residency boundary cryptographically rather than by policy. + +### Cross-border access + +When a global team needs to reach encrypted data across regions, construct a client per region with that region's credentials. + +```typescript filename="regional-access.ts" +import { Encryption } from "@cipherstash/stack" +import { customers } from "./schema" + +// A client scoped to the EU workspace +const euClient = await Encryption({ + schemas: [customers], + config: { + workspaceCrn: process.env.CS_EU_WORKSPACE_CRN, + clientId: process.env.CS_EU_CLIENT_ID, + clientKey: process.env.CS_EU_CLIENT_KEY, + accessKey: process.env.CS_EU_ACCESS_KEY, + }, +}) + +// Decrypting EU customer data requires EU credentials +const result = await euClient.decrypt(encryptedEuRecord) + +if (result.failure) { + throw new Error(`Decryption failed: ${result.failure.message}`) +} +``` + +Access to each region's data requires that region's credentials, which gives you an auditable, revocable access model. To revoke a team member's access to a region, delete their client credentials in that region's workspace. + +## Compliance alignment + +| Requirement | How CipherStash addresses it | +|---|---| +| Data must not leave the region | Encryption and decryption happen locally; plaintext never leaves your infrastructure | +| Key material must stay in region | ZeroKMS authority keys are region-bound; client keys deploy with your app | +| Audit trail for cross-border access | ZeroKMS logs key derivation requests with identity context | +| Ability to revoke access | Delete client credentials, or revoke [lock context](/solutions/provable-access) identities | +| Cryptographic enforcement | The dual-party key split means a single party cannot decrypt alone | + +This architecture supports compliance with GDPR, regional data protection laws, and industry-specific requirements in healthcare and financial services. See [compliance](/security/compliance) for framework-by-framework detail. + +## Next steps + +- [Configure ZeroKMS regions](/stack/cipherstash/kms/regions) for your workspaces. +- [Set up provable access control](/solutions/provable-access) to bind decryption to an identity. +- [Review disaster recovery](/stack/cipherstash/kms/disaster-recovery) for multi-region key backup. diff --git a/content/docs/solutions/index.mdx b/content/docs/solutions/index.mdx new file mode 100644 index 0000000..c04d308 --- /dev/null +++ b/content/docs/solutions/index.mdx @@ -0,0 +1,46 @@ +--- +title: Solutions +description: "What CipherStash solves: protecting sensitive data, AI and RAG pipelines, data residency, and provable access." +type: concept +audience: [cto, ciso] +--- + +CipherStash encrypts sensitive data at the field level, in your infrastructure, while keeping it queryable. This section covers the problems that solves, and what an implementation looks like for each. + +## In this section + +- [Data residency](/solutions/data-residency) covers regional key management and the deployment patterns for cross-border requirements. +- [Provable access control](/solutions/provable-access) binds decryption to an authenticated identity, so access is cryptographically demonstrable rather than merely logged. + +## What data should I protect? + +When improving your data security practices, it can be difficult to know what data is important enough to protect. These are the common categories of sensitive data worth encrypting. + +### Personally identifiable information (PII) + +Any data that could identify a specific individual: names, phone numbers, dates of birth, addresses, emails, IP addresses, social security numbers, license numbers, passport numbers. + +**Applicable regulations:** GDPR, CCPA, HIPAA, APP (Australia), PCI-DSS, SOC 2, ISO 27001. + +### Protected health information (PHI) + +Any information about health status, provision of health care, or payment for health care that can be linked to an individual: medical record numbers, health insurance beneficiary numbers, biometric identifiers, medical conditions, medication histories, payment histories. + +**Applicable regulations:** HIPAA, CMIA, GDPR, APP. + +### Financial information + +Data about money, accounts, and transactions: account numbers and balances, transaction data, TFNs and ITINs, saved payees. + +**Applicable regulations:** GDPR, CCPA, PCI-DSS, CDR (Australia), SOC 2, ISO 27001. + +### Authentication information + +Credentials used to gain access to accounts and services: usernames, passwords (both plaintext and hashed), OAuth tokens, session cookies. + +**Applicable regulations:** SOC 2, ISO 27001, PCI-DSS. + +## Related + +- [Searchable encryption](/concepts/searchable-encryption) for how querying encrypted data works, and what each index term reveals. +- [Compliance](/security/compliance) for how CipherStash maps onto specific frameworks. diff --git a/content/docs/solutions/meta.json b/content/docs/solutions/meta.json new file mode 100644 index 0000000..866869f --- /dev/null +++ b/content/docs/solutions/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Solutions", + "icon": "Target", + "pages": ["index", "...", "data-residency", "provable-access"] +} diff --git a/content/docs/solutions/provable-access.mdx b/content/docs/solutions/provable-access.mdx new file mode 100644 index 0000000..84875fd --- /dev/null +++ b/content/docs/solutions/provable-access.mdx @@ -0,0 +1,160 @@ +--- +title: Provable access control +description: "Bind decryption to an authenticated identity with lock contexts, so access to data is cryptographically demonstrable rather than merely logged." +type: concept +components: [platform, encryption] +audience: [ciso, cto] +verifiedAgainst: + stack: "0.19.0" + auth: "0.42.0" +--- + +Traditional access control relies on application logic. If a bug or misconfiguration exposes data, there is no way to prove afterwards whether access was unauthorized. CipherStash binds decryption to an authenticated identity, so access leaves cryptographic evidence rather than only a log entry. + +## How it works + +Two pieces combine. + +**An auth strategy** decides who the client is when it talks to ZeroKMS. `OidcFederationStrategy` federates a signed-in user's OIDC JWT (from Supabase, Clerk, Auth0, or Okta) into a CipherStash token, so every ZeroKMS request is made *as that user* rather than as your service. + +**A lock context** binds a value to a claim from that user's JWT, typically `sub`. ZeroKMS bakes the claim's value into the data key's tag, so only the user who encrypted a value can decrypt it. + +The two are layered, not alternatives: lock context requires `OidcFederationStrategy`, but you can use the strategy without lock context. Authenticating as the user gives you an audit trail; adding lock context gives you the cryptographic binding. + +That creates a provable access boundary: + +- If data was decrypted, the user's identity must have been present. +- ZeroKMS records the identity associated with every key derivation. +- The record cannot be falsified by tampering with application logs, because the evidence is the derivation itself, not the log line describing it. + + +A lock context restricts **who can decrypt**. It does not hide the ciphertext's existence, nor does it prevent a signed-in user from decrypting the values their own claim unlocks. It moves the enforcement point out of your application and into key derivation. + + +## Identity-aware encryption + +Add your identity provider to the workspace first, on the [OIDC providers](https://dashboard.cipherstash.com/workspaces/_/oidc-providers) page in the Dashboard. The `_` in that URL resolves to whichever workspace you have selected. + +### Authenticate as the end user + +Construct the client with `OidcFederationStrategy`. Pass a function that returns the *current* provider JWT: the strategy re-invokes it when it needs to re-federate, so do not capture a token once. + +```typescript filename="client.ts" +import { Encryption, OidcFederationStrategy } from "@cipherstash/stack" +import { patients } from "./schema" + +// Every ZeroKMS request is authenticated as the signed-in user +export const client = await Encryption({ + schemas: [patients], + config: { + authStrategy: OidcFederationStrategy.create( + process.env.CS_WORKSPACE_CRN, + () => getProviderJwt(), + ), + }, +}) +``` + +`OidcFederationStrategy` is re-exported by `@cipherstash/stack`, so you do not need a separate import from [`@cipherstash/auth`](https://www.npmjs.com/package/@cipherstash/auth). + + +`OidcFederationStrategy` is the only strategy that supports lock contexts. `AccessKeyStrategy` authenticates as your service rather than as an end user, so there is no user identity for ZeroKMS to resolve the claim against. + + +### Bind encryption to the user's identity + +Every example below uses the `client` from above. Without its `authStrategy`, `.withLockContext()` has no end-user identity to bind to. + +```typescript filename="identity-encrypt.ts" +// `client` is configured with OidcFederationStrategy, as above +import { client } from "./client" +import { patients } from "./schema" + +// The data key is tagged with the authenticated provider's `sub` claim +async function encryptDiagnosis(diagnosis: string) { + const result = await client + .encrypt(diagnosis, { column: patients.diagnosis, table: patients }) + .withLockContext({ identityClaim: ["sub"] }) + + if (result.failure) { + throw new Error(`Encryption failed: ${result.failure.message}`) + } + + return result.data +} +``` + +### Decrypt with the same identity claim + +Decryption requires the same lock context, resolved against whichever user the client is currently authenticated as. + +```typescript filename="identity-decrypt.ts" +// The same `client`, authenticated as the same user +async function decryptDiagnosis(encryptedDiagnosis: unknown) { + const result = await client + .decrypt(encryptedDiagnosis) + .withLockContext({ identityClaim: ["sub"] }) + + if (result.failure) { + // Key derivation fails when the identity does not match + throw new Error(`Access denied: ${result.failure.message}`) + } + + return result.data +} +``` + +Lock contexts work with every operation: `encrypt`, `decrypt`, `encryptModel`, `decryptModel`, `bulkEncrypt`, `bulkDecrypt`, `bulkEncryptModels`, and `bulkDecryptModels`. + + +`lockContext.identify(jwt)` is **deprecated**. Per-operation CTS tokens were removed in `protect-ffi` 0.25, so `identify()` no longer affects encryption: code that still calls it compiles and logs a deprecation warning, but the token it fetches is unused. Authenticate the client with `OidcFederationStrategy` and pass the claim to `.withLockContext()` instead. + +Constructing a `LockContext` is not deprecated, it is simply optional here. `.withLockContext()` accepts either a `LockContext` or a plain `{ identityClaim }`. + + +## Audit logging + +Every encryption and decryption through ZeroKMS produces an audit event: + +| Field | Description | +|---|---| +| Identity | The authenticated user or service | +| Operation | Encrypt or decrypt | +| Timestamp | When the operation occurred | +| Keyset | Which keyset was used | +| Application | Which application performed the operation | + +### Combining with Proxy audit + +[CipherStash Proxy](/reference/proxy) adds statement-level audit on top: statement fingerprinting to identify unique query patterns against encrypted data, SQL redaction to strip sensitive values from logged queries, primary key injection to track which records were touched, and record reconciliation to map access events back to rows. See [Proxy audit](/stack/cipherstash/proxy/audit). + +Together these answer who accessed what data, when, and using which query. + +## Use cases + +### Healthcare: HIPAA audit requirements + +HIPAA requires audit controls recording who accessed protected health information. Authenticating each request as the signed-in provider means the ZeroKMS audit log records the identity, the operation, the keyset, and the timestamp for each derivation, and a lock context ties each patient record to the provider who encrypted it. + +### Financial services: segregation of duties + +Encrypt audit records under a compliance-team member's identity. Someone on the trading desk, authenticated as themselves, resolves a different claim value, so key derivation fails and the records do not decrypt. The separation is enforced at derivation, not by a role check in the application. + +### Multi-tenant SaaS: tenant isolation + +Bind encryption to a per-user claim so only that user's identity can decrypt their data. For coarser isolation that does not depend on a signed-in end user, separate [keysets](/stack/cipherstash/kms/keysets) usually fit better: a keyset boundary is per-client or per-connection, where a lock context is per-identity. + +## Compared to application-level access control + +| Aspect | Application logic | Lock contexts | +|---|---|---| +| Enforcement | A software check, which can be bypassed | Key derivation, which cannot be skipped | +| Audit trail | Application logs, which can be edited | ZeroKMS derivation records | +| Proof of access | Circumstantial, from log entries | Direct: decryption required the identity | +| Blast radius of a bug | Data exposed when the check is bypassed | Data stays encrypted when application logic fails | + +## Next steps + +- [Data residency](/solutions/data-residency) for revoking access per region. +- [Proxy audit](/stack/cipherstash/proxy/audit) for statement-level audit logging. +- [Compliance](/security/compliance) for GDPR, HIPAA, and PCI-DSS mapping. diff --git a/content/stack/cipherstash/kms/regions.mdx b/content/stack/cipherstash/kms/regions.mdx index bffd4f8..d101365 100644 --- a/content/stack/cipherstash/kms/regions.mdx +++ b/content/stack/cipherstash/kms/regions.mdx @@ -7,13 +7,9 @@ Each workspace is tied to a specific region and is deployed in that region's [Ze ## Supported ZeroKMS regions -- Asia Pacific (Sydney) -- Europe (Frankfurt) -- Europe (Ireland) -- US East (N. Virginia) -- US East (Ohio) -- US West (N. California) -- US West (Oregon) +ZeroKMS is deployed on AWS only. A region identifier forms part of your workspace CRN, for example `crn:ap-southeast-2.aws:your-workspace-id`. + + ## Requesting a new region diff --git a/content/stack/meta.json b/content/stack/meta.json index 340df56..34e13fc 100644 --- a/content/stack/meta.json +++ b/content/stack/meta.json @@ -1,8 +1,3 @@ { - "pages": [ - "quickstart", - "cipherstash", - "deploy", - "reference" - ] + "pages": ["quickstart", "cipherstash", "deploy", "reference"] } diff --git a/content/stack/reference/eql/meta.json b/content/stack/reference/eql/meta.json index 7568e54..d20d140 100644 --- a/content/stack/reference/eql/meta.json +++ b/content/stack/reference/eql/meta.json @@ -1,5 +1,3 @@ { - "pages": [ - "index" - ] -} \ No newline at end of file + "pages": ["index"] +} diff --git a/content/stack/reference/stack/meta.json b/content/stack/reference/stack/meta.json index 6f40473..dbb256d 100644 --- a/content/stack/reference/stack/meta.json +++ b/content/stack/reference/stack/meta.json @@ -1,5 +1,3 @@ { - "pages": [ - "latest" - ] -} \ No newline at end of file + "pages": ["latest"] +} diff --git a/next.config.mjs b/next.config.mjs index 2c59456..3ffa9e2 100644 --- a/next.config.mjs +++ b/next.config.mjs @@ -1,13 +1,39 @@ import { createMDX } from "fumadocs-mdx/next"; +import { v2Redirects } from "./v2-redirects.mjs"; const withMDX = createMDX(); +// V2 IA migration (CIP-3325): the full legacyβ†’v2 redirect map is gated so the +// preview site serves BOTH trees while sections migrate (legacy at /stack, v2 +// at the root). Flip on at merge; once content/stack is deleted the map +// becomes unconditional (CIP-3335). Coverage is enforced by +// `bun run validate-redirects` regardless of the flag. +const enableV2Redirects = process.env.ENABLE_V2_REDIRECTS === "1"; + /** @type {import('next').NextConfig} */ const config = { basePath: "/docs", reactStrictMode: true, async redirects() { return [ + // The app lives under the /docs basePath, so the bare domain root + // (e.g. on Vercel preview URLs) would otherwise 404. In production + // "/" never reaches this app β€” cipherstash.com routes only /docs/* + // here β€” so this only affects previews. + { + source: "/", + destination: "/docs", + basePath: false, + permanent: false, + }, + // Vanity URL for the new IA (safe to ship ungated: the path has no + // legacy traffic). Temporary until the v2 quickstart is canonical. + { + source: "/quickstart", + destination: "/get-started/quickstart", + permanent: false, + }, + ...(enableV2Redirects ? v2Redirects : []), // === 4-section consolidation: product sections under /cipherstash/ === { source: "/stack/encryption/:path*", @@ -287,11 +313,10 @@ const config = { destination: "/stack/deploy/aws-ecs", permanent: true, }, - { - source: "/reference/eql", - destination: "/stack/reference/eql", - permanent: false, - }, + // NOTE(v2): the AI-citation redirect "/reference/eql" β†’ + // "/stack/reference/eql" was removed here β€” its source collides with + // the v2 IA's /reference/eql page, which now serves that traffic + // directly (CIP-3325). { source: "/platform/workspaces/key-sets", destination: "/stack/cipherstash/kms/keysets", @@ -327,6 +352,13 @@ const config = { source: "/stack/:path*.mdx", destination: "/llms.mdx/stack/:path*", }, + // Raw-markdown mirror for the v2 tree (Cloudflare/agents fetch + // .mdx). Listed after the /stack rule so legacy paths keep + // resolving to the legacy collection. + { + source: "/:path*.mdx", + destination: "/llms.mdx/v2/:path*", + }, ], afterFiles: [ { diff --git a/package.json b/package.json index 7cc2dfd..b727a79 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,7 @@ "version": "0.0.0", "private": true, "scripts": { - "prebuild": "bun run generate-docs && bun run generate-docs:eql && bun run validate-links", + "prebuild": "bun run generate-docs && bun run generate-docs:eql && bun run generate-docs:eql-api && bun run generate-docs:cli && bun run validate-content && bun run validate-mermaid && bun run validate-links && bun run validate-redirects", "build": "next build", "dev": "next dev -p 3001", "start": "next start", @@ -13,7 +13,12 @@ "format": "biome format --write", "generate-docs": "tsx scripts/generate-docs.ts", "generate-docs:eql": "tsx scripts/generate-eql-docs.ts", - "validate-links": "tsx scripts/validate-links.ts" + "generate-docs:eql-api": "tsx scripts/generate-eql-api-docs.ts", + "generate-docs:cli": "tsx scripts/generate-cli-docs.ts", + "validate-links": "tsx scripts/validate-links.ts", + "validate-redirects": "tsx scripts/validate-v2-redirects.ts", + "validate-content": "tsx scripts/validate-content-api.ts", + "validate-mermaid": "tsx scripts/validate-mermaid.ts" }, "dependencies": { "fumadocs-core": "16.6.0", @@ -21,6 +26,7 @@ "fumadocs-ui": "16.6.0", "github-slugger": "^2.0.0", "lucide-react": "^0.563.0", + "mermaid": "^11.16.0", "next": "16.2.3", "posthog-js": "^1.354.0", "posthog-node": "^5.26.0", @@ -31,10 +37,12 @@ "devDependencies": { "@biomejs/biome": "^2.3.14", "@tailwindcss/postcss": "^4.1.18", + "@types/jsdom": "^28.0.3", "@types/mdx": "^2.0.13", "@types/node": "^25.2.1", "@types/react": "^19.2.13", "@types/react-dom": "^19.2.3", + "jsdom": "^29.1.1", "postcss": "^8.5.6", "tailwindcss": "^4.1.18", "tsx": "^4.0.0", diff --git a/scripts/cli-supplements/auth.md b/scripts/cli-supplements/auth.md new file mode 100644 index 0000000..b17fc57 --- /dev/null +++ b/scripts/cli-supplements/auth.md @@ -0,0 +1,21 @@ +## How authentication works + +`stash auth login` runs the OAuth 2.0 **device authorization flow**: + +1. You pick a **region** for your CipherStash workspace. +2. The CLI opens your browser to a verification URL (and prints it, so it also + works over SSH or in a headless/agent environment) where you approve the + request. +3. Meanwhile the CLI polls CipherStash until you approve, then receives a + short-lived access token (it reports the token's expiry). +4. Your device is **bound to the workspace's default keyset**, so later commands + (`stash eql install`, `stash db push`, …) authenticate without a fresh login. + + +Login is device- and workspace-scoped. Authenticating from a new machine, or for a different workspace, re-runs the device flow. + + +{/* TODO(verify with product): profiles, multiple workspaces, and switching +between them (where they're stored and how they're selected) belong here, or +in a linked CLI concept page. The CLI currently exposes only `auth login`; +confirm the profile / workspace-switching surface before documenting it. */} diff --git a/scripts/fixtures/eql-manifest.sample.json b/scripts/fixtures/eql-manifest.sample.json new file mode 100644 index 0000000..25a5246 --- /dev/null +++ b/scripts/fixtures/eql-manifest.sample.json @@ -0,0 +1,192 @@ +{ + "_note": "ILLUSTRATIVE SAMPLE β€” shape only. Replaced at build time by the real eql-manifest.json from the eql-docs release asset (cipherstash/encrypt-query-language). Do not treat these signatures/domains as authoritative. Mirrors the real schema: domains live in `public.`, public functions in `eql_v3.`, internal ctors in `eql_v3_internal.` (visibility: private).", + "$schema": "https://schemas.cipherstash.com/eql/manifest/v1.json", + "name": "eql", + "version": "3.0.0-sample", + "generatedFrom": "doxygen-xml + catalog", + "counts": { "functions": 5, "public": 2, "private": 3, "domains": 9 }, + "functions": [ + { + "name": "version", + "signature": "version()", + "visibility": "public", + "brief": "Get the installed EQL version string.", + "description": "Returns the version string for the installed EQL library.", + "params": [], + "returns": { "type": "text", "description": "the version string" }, + "throws": [], + "notes": "", + "warnings": "", + "seeAlso": "", + "source": { "file": "src/v3/version.sql", "line": 28 } + }, + { + "name": "jsonb_path_query", + "signature": "jsonb_path_query(jsonb, text)", + "visibility": "public", + "brief": "Query encrypted JSONB for sv elements matching a selector.", + "description": "Returns one jsonb_entry row per matching encrypted element.", + "params": [ + { + "name": "val", + "type": "jsonb", + "description": "encrypted EQL payload with sv" + }, + { "name": "selector", "type": "text", "description": "selector hash" } + ], + "returns": { + "type": "public.jsonb_entry", + "description": "matching encrypted entries" + }, + "throws": [], + "notes": "", + "warnings": "", + "seeAlso": "", + "source": { "file": "src/v3/jsonb/functions.sql", "line": 358 } + }, + { + "name": "hmac_256", + "signature": "hmac_256(jsonb)", + "visibility": "private", + "brief": "Extract the HMAC-SHA-256 equality term from an encrypted value.", + "description": "Backs equality (`=`, `IN`, joins) on `_eq` and `text_search` columns.", + "params": [ + { "name": "val", "type": "jsonb", "description": "the encrypted value" } + ], + "returns": { "type": "text", "description": "the HMAC term" }, + "throws": [], + "notes": "", + "warnings": "", + "seeAlso": "", + "source": { "file": "src/v3/sem/hmac_256/functions.sql", "line": 12 } + }, + { + "name": "bloom_filter", + "signature": "bloom_filter(jsonb)", + "visibility": "private", + "brief": "Extract the bloom-filter match term from an encrypted value.", + "description": "Backs token containment (`@>`) on `text_match` / `text_search` columns.", + "params": [ + { "name": "val", "type": "jsonb", "description": "the encrypted value" } + ], + "returns": { + "type": "smallint[]", + "description": "the set bit positions" + }, + "throws": [], + "notes": "", + "warnings": "", + "seeAlso": "", + "source": { "file": "src/v3/sem/bloom_filter/functions.sql", "line": 20 } + }, + { + "name": "ore_block_256", + "signature": "ore_block_256(jsonb)", + "visibility": "private", + "brief": "Extract the ORE ordering term from an encrypted value.", + "description": "Backs range and ordering (`<`, `>`, `ORDER BY`) on `_ord` columns.", + "params": [ + { "name": "val", "type": "jsonb", "description": "the encrypted value" } + ], + "returns": { + "type": "eql_v3_internal.ore_block_256", + "description": "the ORE term" + }, + "throws": [], + "notes": "", + "warnings": "", + "seeAlso": "", + "source": { "file": "src/v3/sem/ore_block_256/functions.sql", "line": 8 } + } + ], + "domains": [ + { + "name": "public.integer", + "type": "integer", + "variant": "", + "base": "jsonb", + "capabilities": ["storage"], + "supportedOperators": [], + "termFunctions": [] + }, + { + "name": "public.integer_eq", + "type": "integer", + "variant": "eq", + "base": "jsonb", + "capabilities": ["equality"], + "supportedOperators": ["=", "<>"], + "termFunctions": ["eql_v3.eq_term"] + }, + { + "name": "public.integer_ord", + "type": "integer", + "variant": "ord", + "base": "jsonb", + "capabilities": ["equality", "order"], + "supportedOperators": ["=", "<>", "<", "<=", ">", ">="], + "termFunctions": ["eql_v3.ord_term"] + }, + { + "name": "public.integer_ord_ope", + "type": "integer", + "variant": "ord_ope", + "base": "jsonb", + "capabilities": ["equality", "order"], + "supportedOperators": ["=", "<>", "<", "<=", ">", ">="], + "termFunctions": ["eql_v3.ord_ope_term"] + }, + { + "name": "public.text_match", + "type": "text", + "variant": "match", + "base": "jsonb", + "capabilities": ["match"], + "supportedOperators": ["@>", "<@"], + "termFunctions": ["eql_v3.match_term"] + }, + { + "name": "public.text_search", + "type": "text", + "variant": "search", + "base": "jsonb", + "capabilities": ["equality", "order", "match"], + "supportedOperators": ["=", "<>", "<", "<=", ">", ">=", "@>", "<@"], + "termFunctions": [ + "eql_v3.eq_term", + "eql_v3.ord_term", + "eql_v3.match_term" + ] + }, + { + "name": "public.json", + "type": "jsonb", + "variant": "", + "base": "jsonb", + "shape": "stevec", + "capabilities": ["json"], + "supportedOperators": [], + "termFunctions": [] + }, + { + "name": "public.jsonb_entry", + "type": "jsonb", + "variant": "", + "base": "jsonb", + "shape": "stevec", + "capabilities": ["json"], + "supportedOperators": [], + "termFunctions": ["eql_v3.eq_term", "eql_v3.ore_cllw"] + }, + { + "name": "public.jsonb_query", + "type": "jsonb", + "variant": "", + "base": "jsonb", + "shape": "stevec", + "capabilities": ["json"], + "supportedOperators": [], + "termFunctions": [] + } + ] +} diff --git a/scripts/fixtures/stash-manifest.json b/scripts/fixtures/stash-manifest.json new file mode 100644 index 0000000..0de5ec4 --- /dev/null +++ b/scripts/fixtures/stash-manifest.json @@ -0,0 +1,511 @@ +{ + "name": "stash", + "version": "0.17.0", + "groups": [ + { + "title": "Setup & workflow", + "commands": [ + { + "name": "init", + "summary": "Initialize CipherStash for your project", + "long": "Set up CipherStash end-to-end: authenticate, introspect your database,\ninstall dependencies, install EQL, and hand off the rest to your local\ncoding agent. Every prompt has a non-interactive escape hatch, so init\nnever blocks waiting on a TTY (CI, agents, pipes).", + "examples": [ + "init", + "init --supabase", + "init --prisma-next", + "init --region us-east-1" + ], + "flags": [ + { + "name": "--supabase", + "description": "Use Supabase-specific setup flow." + }, + { + "name": "--drizzle", + "description": "Use Drizzle-specific setup flow." + }, + { + "name": "--prisma-next", + "description": "Use Prisma Next-specific setup flow (EQL bundle installed via prisma-next migration apply)." + }, + { + "name": "--proxy", + "description": "Query encrypted data via CipherStash Proxy." + }, + { + "name": "--no-proxy", + "description": "Query encrypted data directly via the SDK.", + "default": "true" + }, + { + "name": "--region", + "value": "", + "description": "Region to authenticate against (e.g. us-east-1). Skips the interactive region picker. Required for non-interactive init when not already logged in.", + "env": "STASH_REGION" + } + ] + }, + { + "name": "plan", + "summary": "Draft a reviewable encryption plan at .cipherstash/plan.md", + "examples": [ + "plan", + "plan --target claude-code" + ], + "flags": [ + { + "name": "--complete-rollout", + "description": "Plan the entire encryption lifecycle (schema-add through drop) in one document. Skips the production-deploy gate; only safe when this database is not backing a deployed application." + }, + { + "name": "--target", + "value": "", + "description": "Skip the agent-target picker and hand off directly to one of claude-code | codex | agents-md | wizard. Safe in non-TTY contexts." + } + ] + }, + { + "name": "impl", + "summary": "Execute the plan with a local agent", + "examples": [ + "impl", + "impl --continue-without-plan", + "impl --target claude-code" + ], + "flags": [ + { + "name": "--continue-without-plan", + "description": "Skip planning and go straight to implementation (interactively confirms before proceeding)." + }, + { + "name": "--target", + "value": "", + "description": "Skip the agent-target picker and hand off directly to one of claude-code | codex | agents-md | wizard. Safe in non-TTY contexts." + } + ] + }, + { + "name": "status", + "summary": "Displays implementation status", + "flags": [ + { + "name": "--quest", + "description": "Force the quest-log output (emoji + progress bars) even in non-TTY contexts." + }, + { + "name": "--plain", + "description": "Force the plain-text output even in TTY contexts." + }, + { + "name": "--json", + "description": "Emit a structured JSON document instead." + } + ] + }, + { + "name": "wizard", + "summary": "AI-guided encryption setup (reads your codebase)" + }, + { + "name": "doctor", + "summary": "Diagnose install problems (native binaries, runtime)" + }, + { + "name": "manifest", + "summary": "Print the structured, versioned command surface", + "long": "Emit the CLI command surface as data. `--json` produces the machine-\nreadable manifest the docs generator and agents consume; without it a\ngrouped command list is printed. The manifest is stamped with the CLI\nversion, so a page generated from it always names the version it describes.", + "examples": [ + "manifest --json", + "manifest" + ], + "flags": [ + { + "name": "--json", + "description": "Emit the structured JSON manifest instead of a text list." + } + ] + } + ] + }, + { + "title": "Auth", + "commands": [ + { + "name": "auth login", + "summary": "Authenticate with CipherStash", + "long": "Runs the OAuth 2.0 device authorization flow:\n1. Pick a region for your workspace.\n2. Approve in the browser β€” the URL is printed, so it works over SSH/headless.\n3. The CLI polls until you approve, then stores a short-lived token.\n4. Your device is bound to the workspace's default keyset, so later\n commands authenticate without a fresh login.", + "examples": [ + "auth login", + "auth login --region us-east-1", + "auth login --supabase", + "auth login --region us-east-1 --json" + ], + "flags": [ + { + "name": "--region", + "value": "", + "description": "Region to authenticate against (e.g. us-east-1). Skips the interactive region picker.", + "env": "STASH_REGION" + }, + { + "name": "--json", + "description": "Emit newline-delimited JSON events instead of prose. The first event (authorization_required) carries the device verification URL for a human to open. Implies no prompt and no browser auto-open." + }, + { + "name": "--no-open", + "description": "Don't auto-open the verification URL in a browser (already implied by --json)." + }, + { + "name": "--supabase", + "description": "Track Supabase as the referrer." + }, + { + "name": "--drizzle", + "description": "Track Drizzle as the referrer." + } + ] + }, + { + "name": "auth regions", + "summary": "List the regions you can authenticate against", + "examples": [ + "auth regions", + "auth regions --json" + ], + "flags": [ + { + "name": "--json", + "description": "Emit machine-readable [{ slug, label }] instead of a text list." + } + ] + } + ] + }, + { + "title": "EQL", + "commands": [ + { + "name": "eql install", + "summary": "Scaffold stash.config.ts (if missing) and install EQL extensions", + "flags": [ + { + "name": "--force", + "description": "Reinstall / overwrite even if already installed." + }, + { + "name": "--dry-run", + "description": "Show what would happen without making changes." + }, + { + "name": "--supabase", + "description": "Use Supabase-compatible mode (auto-detected from DATABASE_URL)." + }, + { + "name": "--drizzle", + "description": "Generate a Drizzle migration instead of direct install (auto-detected from project)." + }, + { + "name": "--migration", + "description": "Write a Supabase migration file instead of running SQL directly (requires --supabase)." + }, + { + "name": "--direct", + "description": "Run the SQL directly against the database (requires --supabase; mutually exclusive with --migration)." + }, + { + "name": "--migrations-dir", + "value": "", + "description": "Override the Supabase migrations directory (requires --supabase).", + "default": "supabase/migrations" + }, + { + "name": "--exclude-operator-family", + "description": "Skip operator family creation." + }, + { + "name": "--eql-version", + "value": "<2|3>", + "description": "EQL generation to target. v3 is the native eql_v3.* domain schema (direct install only for now).", + "default": "2" + }, + { + "name": "--latest", + "description": "Fetch the latest EQL from GitHub (v2 only)." + }, + { + "name": "--name", + "value": "", + "description": "With --drizzle: name for the generated migration (defaults to a scaffold name)." + }, + { + "name": "--out", + "value": "", + "description": "With --drizzle: directory to write the generated migration into." + }, + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + }, + { + "name": "eql upgrade", + "summary": "Upgrade EQL extensions to the latest version", + "flags": [ + { + "name": "--dry-run", + "description": "Show what would happen without making changes." + }, + { + "name": "--supabase", + "description": "Use Supabase-compatible mode." + }, + { + "name": "--exclude-operator-family", + "description": "Skip operator family creation." + }, + { + "name": "--eql-version", + "value": "<2|3>", + "description": "EQL generation to target.", + "default": "2" + }, + { + "name": "--latest", + "description": "Fetch the latest EQL from GitHub (v2 only)." + }, + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + }, + { + "name": "eql status", + "summary": "Show EQL installation status", + "flags": [ + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + } + ] + }, + { + "title": "Database", + "commands": [ + { + "name": "db push", + "summary": "Push encryption schema (writes pending if active config already exists)", + "flags": [ + { + "name": "--dry-run", + "description": "Show what would happen without making changes." + }, + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + }, + { + "name": "db activate", + "summary": "Promote pending β†’ active without renames (use after additive db push)", + "flags": [ + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + }, + { + "name": "db validate", + "summary": "Validate encryption schema", + "flags": [ + { + "name": "--supabase", + "description": "Use Supabase-compatible mode." + }, + { + "name": "--exclude-operator-family", + "description": "Skip operator family creation." + }, + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + }, + { + "name": "db migrate", + "summary": "Run pending encrypt config migrations (not yet implemented)" + }, + { + "name": "db test-connection", + "summary": "Test database connectivity", + "flags": [ + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + } + ] + }, + { + "title": "Schema", + "commands": [ + { + "name": "schema build", + "summary": "Build an encryption schema from your database", + "flags": [ + { + "name": "--supabase", + "description": "Use Supabase-compatible mode." + }, + { + "name": "--database-url", + "value": "", + "description": "Override DATABASE_URL for this run only β€” never written to disk.", + "env": "DATABASE_URL" + } + ] + } + ] + }, + { + "title": "Encrypt", + "commands": [ + { + "name": "encrypt status", + "summary": "Show per-column migration status (phase, progress, drift)" + }, + { + "name": "encrypt plan", + "summary": "Diff intent (.cipherstash/migrations.json) vs observed state" + }, + { + "name": "encrypt backfill", + "summary": "Resumably encrypt plaintext into the encrypted column", + "flags": [ + { + "name": "--table", + "value": "", + "description": "Target table." + }, + { + "name": "--column", + "value": "", + "description": "Target column." + }, + { + "name": "--pk-column", + "value": "", + "description": "Primary-key column used to page through rows." + }, + { + "name": "--chunk-size", + "value": "", + "description": "Rows encrypted per batch." + }, + { + "name": "--encrypted-column", + "value": "", + "description": "Destination encrypted column." + }, + { + "name": "--schema-column-key", + "value": "", + "description": "Schema key identifying the column config." + }, + { + "name": "--confirm-dual-writes-deployed", + "description": "Assert the app is dual-writing before backfilling (safety gate)." + }, + { + "name": "--force", + "description": "Proceed past non-fatal safety checks." + } + ] + }, + { + "name": "encrypt cutover", + "summary": "Rename swap encrypted β†’ primary column", + "flags": [ + { + "name": "--table", + "value": "", + "description": "Target table." + }, + { + "name": "--column", + "value": "", + "description": "Target column." + }, + { + "name": "--proxy-url", + "value": "", + "description": "Proxy URL to verify against." + }, + { + "name": "--migrations-dir", + "value": "", + "description": "Directory to write the rename migration into." + } + ] + }, + { + "name": "encrypt drop", + "summary": "Generate a migration to drop the plaintext column", + "flags": [ + { + "name": "--table", + "value": "", + "description": "Target table." + }, + { + "name": "--column", + "value": "", + "description": "Target column." + }, + { + "name": "--migrations-dir", + "value": "", + "description": "Directory to write the drop migration into." + } + ] + } + ] + }, + { + "title": "Experimental", + "commands": [ + { + "name": "env", + "summary": "(experimental) Print production env vars for deployment", + "flags": [ + { + "name": "--write", + "description": "Write the vars to a file instead of printing them." + } + ] + } + ] + } + ] +} diff --git a/scripts/generate-cli-docs.ts b/scripts/generate-cli-docs.ts new file mode 100644 index 0000000..89a59ce --- /dev/null +++ b/scripts/generate-cli-docs.ts @@ -0,0 +1,415 @@ +#!/usr/bin/env tsx +/** + * CLI reference generator. + * + * Generates the `/reference/cli` pages from the `stash` CLI itself, so the + * reference can never drift from the shipped command surface. Every page is + * stamped with the CLI version it was generated from. + * + * ── Data source ─────────────────────────────────────────────────────────── + * We consume `stash manifest --json` (shipped in stash CLI 0.17) β€” the + * structured, versioned command surface the CLI builds from its own command + * registry. Groups, summaries, per-command flags (with defaults + env vars), + * and curated examples all come straight from the CLI, so the docs are a + * projection of the real command set rather than a scrape of `--help`. + * + * ── Versioning ──────────────────────────────────────────────────────────── + * Always generated from the LATEST published `stash` on npm (resolved via + * `npm view stash version`), so a new release plus a run of this script β€” it + * runs in `prebuild` β€” refreshes the docs automatically. Every page carries + * `verifiedAgainst.cli` and a visible banner, so readers and agents always + * know which version the docs describe. Offline, it falls back to the cached + * `scripts/fixtures/stash-manifest.json`. + */ +import { execSync } from "node:child_process"; +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; + +const CLI_NAME = "stash"; +let CLI_VERSION = ""; // resolved to the latest published npm version at run time +const RUNNER = "npx"; // normalized invocation shown in docs +const FIXTURE = path.join( + process.cwd(), + "scripts/fixtures", + "stash-manifest.json", +); +const OUT_DIR = path.join(process.cwd(), "content/docs/reference/cli"); +// Hand-authored per-command prose merged into the generated page (hybrid model): +// the generated skeleton (synopsis + flags + examples) stays drift-free; a +// supplement adds rich narrative the manifest doesn't carry. Lives outside +// content/ so it's never treated as a page or wiped by the clean step. Where +// the CLI grows per-command long-help, that prose can migrate into the CLI and +// this hook retires. +const SUPPLEMENTS_DIR = path.join(process.cwd(), "scripts/cli-supplements"); + +// ── The `stash manifest --json` contract ──────────────────────────────────── +// Mirrors packages/cli/src/cli/manifest.ts in the stack repo. Command `name` +// is the full path ("eql install"); flags are already resolved per-command. +interface CliFlag { + name: string; // "--supabase" + value?: string; // "" + description: string; + default?: string; // surfaced default, when worth showing + env?: string; // env var that also sets this, e.g. DATABASE_URL +} +interface CliCommand { + name: string; + summary: string; + long?: string; + examples?: string[]; + flags?: CliFlag[]; +} +interface CliGroup { + title: string; + commands: CliCommand[]; +} +interface CliManifest { + name: string; + version: string; + groups: CliGroup[]; +} + +// ── Internal model (what the renderer consumes) ───────────────────────────── +interface Flag { + name: string; + value?: string; + description: string; +} +interface Command { + path: string; // "eql install" + base: string; // "eql" + sub?: string; // "install" + group: string; // nav group title, from the manifest + summary: string; + flags: Flag[]; + examples: string[]; +} +interface Manifest { + name: string; + version: string; + commands: Command[]; + groupOrder: string[]; // nav group order, as the CLI declares it +} + +// EQL/Postgres command groups get the `eql` component facet too (content-model +// rule: tag `eql` for queryable-in-Postgres ciphertext). +const componentsFor = (base: string): string[] => + ["eql", "db", "schema", "encrypt"].includes(base) ? ["cli", "eql"] : ["cli"]; + +// ── Source ────────────────────────────────────────────────────────────────── +// Resolve the latest published version so the docs track releases automatically. +function latestVersion(): string { + try { + return execSync(`npm view ${CLI_NAME} version`, { + encoding: "utf8", + }).trim(); + } catch { + const cached = fs.existsSync(FIXTURE) + ? (JSON.parse(fs.readFileSync(FIXTURE, "utf8")) as CliManifest).version + : undefined; + if (cached) { + console.warn(`⚠ npm unreachable; using cached stash v${cached}.`); + return cached; + } + throw new Error( + "Cannot resolve latest stash version (offline, no fixture).", + ); + } +} + +// Run the resolved CLI and read its `manifest --json`, caching to a fixture for +// offline builds. dotenvx (the CLI's launcher) may print tips before the JSON, +// so slice from the first `{` to the last `}` defensively. +function loadRawManifest(version: string): CliManifest { + try { + const out = execSync(`npx --yes ${CLI_NAME}@${version} manifest --json`, { + encoding: "utf8", + cwd: os.tmpdir(), + stdio: ["ignore", "pipe", "ignore"], + }); + const start = out.indexOf("{"); + const end = out.lastIndexOf("}"); + if (start === -1 || end < start) { + throw new Error( + `\`${CLI_NAME}@${version} manifest --json\` did not emit a JSON object (got: ${out.trim().slice(0, 120)}…)`, + ); + } + const manifest = JSON.parse(out.slice(start, end + 1)) as CliManifest; + fs.mkdirSync(path.dirname(FIXTURE), { recursive: true }); + fs.writeFileSync(FIXTURE, `${JSON.stringify(manifest, null, 2)}\n`); + return manifest; + } catch { + if (fs.existsSync(FIXTURE)) { + console.warn(`⚠ Could not run stash@${version}; using cached fixture.`); + return JSON.parse(fs.readFileSync(FIXTURE, "utf8")) as CliManifest; + } + throw new Error( + `Could not run stash@${version} manifest --json and no cached fixture exists.`, + ); + } +} + +// Fold the manifest's richer flag metadata (default + env) into the description +// column so the page format (Flag | Description) stays a single table. +function mapFlag(f: CliFlag): Flag { + const notes: string[] = []; + if (f.default !== undefined) notes.push(`default: \`${f.default}\``); + if (f.env) notes.push(`env: \`${f.env}\``); + const description = notes.length + ? `${f.description} (${notes.join("; ")})` + : f.description; + return { name: f.name, value: f.value, description }; +} + +// Project the CLI manifest onto the internal model the renderer consumes. +function toManifest(m: CliManifest): Manifest { + const commands: Command[] = []; + const groupOrder: string[] = []; + for (const group of m.groups) { + if (!group.commands.length) continue; + if (!groupOrder.includes(group.title)) groupOrder.push(group.title); + for (const c of group.commands) { + const [base, ...rest] = c.name.split(/\s+/); + commands.push({ + path: c.name, + base, + sub: rest.length ? rest.join(" ") : undefined, + group: group.title, + summary: c.summary, + flags: (c.flags ?? []).map(mapFlag), + examples: (c.examples ?? []).map((e) => `${RUNNER} ${CLI_NAME} ${e}`), + }); + } + } + return { name: m.name, version: m.version, commands, groupOrder }; +} + +// ── Render ─────────────────────────────────────────────────────────────────── +const generatedMarker = (): string => + `{/* GENERATED β€” do not edit. Produced by scripts/generate-cli-docs.ts from \`${CLI_NAME} manifest --json\` (v${CLI_VERSION}). Re-run \`bun run generate-docs:cli\` to refresh from the latest published CLI. */}`; + +function banner(): string { + return ` +Generated from **\`${CLI_NAME}\` v${CLI_VERSION}** via \`${RUNNER} ${CLI_NAME}@${CLI_VERSION} manifest --json\`. Run \`${RUNNER} ${CLI_NAME}@${CLI_VERSION} --help\` to see the live command surface. +`; +} + +// Escape characters MDX parses as JSX inside prose: `{`/`}` (expression braces β€” +// e.g. the `auth regions` flag description "[{ slug, label }]" would otherwise +// evaluate `slug` and crash the prerender) and stray `<` (tags). Flag names and +// values render inside code spans, which are literal, so this only applies to +// manifest-derived prose (descriptions, summaries). +const escapeMdxText = (s: string): string => s.replace(/([{}<])/g, "\\$1"); + +function flagsTable(flags: Flag[]): string { + if (!flags.length) return ""; + const rows = flags + .map((f) => { + // Escape pipes (e.g. the `<2|3>` in `--eql-version`) so they don't read + // as table-column separators, even inside the code span. + const opt = `\`${f.name}${f.value ? ` ${f.value}` : ""}\``.replace( + /\|/g, + "\\|", + ); + const description = escapeMdxText(f.description).replace(/\|/g, "\\|"); + return `| ${opt} | ${description} |`; + }) + .join("\n"); + return `\n### Flags\n\n| Flag | Description |\n| --- | --- |\n${rows}\n`; +} + +function commandSection(cmd: Command, level: "##" | "###"): string { + const synopsis = `${RUNNER} ${CLI_NAME} ${cmd.path}${cmd.flags.length ? " [flags]" : ""}`; + const parts = [ + `${level} \`${cmd.path}\``, + "", + escapeMdxText(cmd.summary), + "", + "```bash", + synopsis, + "```", + ]; + if (cmd.flags.length) + parts.push(flagsTable(cmd.flags).replace("### Flags", `${level}# Flags`)); + if (cmd.examples.length) { + parts.push( + `\n${level}# Examples\n`, + "```bash", + cmd.examples.join("\n"), + "```", + ); + } + return parts.join("\n"); +} + +function renderPage( + base: string, + cmds: Command[], +): { slug: string; body: string } { + const isGroup = cmds.some((c) => c.sub) || cmds.length > 1; + const title = base; + const components = componentsFor(base); + const description = isGroup + ? `Reference for the \`${CLI_NAME} ${base}\` commands.` + : cmds[0].summary; + + const frontmatter = [ + "---", + `title: ${CLI_NAME} ${title}`, + `description: ${JSON.stringify(description)}`, + "type: reference", + `components: [${components.join(", ")}]`, + "verifiedAgainst:", + ` cli: "${CLI_VERSION}"`, + "---", + ].join("\n"); + + const parts = [frontmatter, "", generatedMarker(), "", banner(), ""]; + + if (isGroup) { + parts.push( + `The \`${CLI_NAME} ${base}\` command group.`, + "", + cmds.map((c) => commandSection(c, "###")).join("\n\n"), + ); + } else { + const c = cmds[0]; + parts.push( + escapeMdxText(c.summary), + "", + "```bash", + `${RUNNER} ${CLI_NAME} ${c.path}${c.flags.length ? " [flags]" : ""}`, + "```", + ); + if (c.flags.length) parts.push(flagsTable(c.flags)); + if (c.examples.length) + parts.push("\n## Examples\n", "```bash", c.examples.join("\n"), "```"); + } + + const supplement = readSupplement(base); + const body = `${parts.join("\n").trimEnd()}${supplement ? `\n\n${supplement}` : ""}\n`; + return { slug: base, body }; +} + +// Optional hand-authored prose for a command, merged after its generated +// reference. Returns "" when no supplement exists. +function readSupplement(slug: string): string { + const file = path.join(SUPPLEMENTS_DIR, `${slug}.md`); + return fs.existsSync(file) ? fs.readFileSync(file, "utf8").trim() : ""; +} + +function renderIndex( + manifest: Manifest, + groups: Map, +): string { + const frontmatter = [ + "---", + "title: CLI", + `description: "Command reference for the ${CLI_NAME} CLI, generated from v${CLI_VERSION}."`, + "type: reference", + "components: [cli]", + "verifiedAgainst:", + ` cli: "${CLI_VERSION}"`, + "---", + ].join("\n"); + + const sections = manifest.groupOrder + .filter((g) => groups.has(g)) + .map((g) => { + const rows = groups + .get(g)! + .flatMap((base) => + manifest.commands + .filter((c) => c.base === base) + .map((c) => { + const anchor = c.sub ? `#${c.path.replace(/\s+/g, "-")}` : ""; + const summary = escapeMdxText(c.summary).replace(/\|/g, "\\|"); + return `| [\`${c.path}\`](/reference/cli/${base}${anchor}) | ${summary} |`; + }), + ) + .join("\n"); + return `### ${g}\n\n| Command | Description |\n| --- | --- |\n${rows}`; + }) + .join("\n\n"); + + return `${frontmatter} + +${generatedMarker()} + +${banner()} + +The \`${CLI_NAME}\` CLI. Install with \`${RUNNER} ${CLI_NAME}@${CLI_VERSION}\`. Every command accepts \`--help\` and \`--version\`. + +${sections} +`; +} + +function renderMeta(manifest: Manifest, groups: Map): string { + const pages: string[] = []; + for (const g of manifest.groupOrder) { + if (!groups.has(g)) continue; + pages.push(`---${g}---`); + pages.push(...groups.get(g)!); + } + return `${JSON.stringify({ title: "CLI", pages }, null, 2)}\n`; +} + +// ── Main ───────────────────────────────────────────────────────────────────── +function loadManifest(): Manifest { + return toManifest(loadRawManifest(CLI_VERSION)); +} + +function main() { + // latestVersion() picks which published CLI to invoke; the manifest we get + // back is authoritative for what to stamp. Reconcile CLI_VERSION to it so + // pages never claim a version different from the data they were built from + // (e.g. when the live run fails and we fall back to an older cached fixture). + CLI_VERSION = latestVersion(); + const manifest = loadManifest(); + CLI_VERSION = manifest.version; + + // Group top-level commands by base, preserving discovery order. + const bases: string[] = []; + for (const c of manifest.commands) + if (!bases.includes(c.base)) bases.push(c.base); + + // Nav groups, in the order the CLI declares them; a base inherits the group + // of its commands. + const groups = new Map(); + for (const g of manifest.groupOrder) groups.set(g, []); + for (const base of bases) { + const g = manifest.commands.find((c) => c.base === base)!.group; + groups.get(g)!.push(base); + } + for (const [g, list] of groups) if (!list.length) groups.delete(g); + + // Clean previously generated pages, then write fresh. + fs.mkdirSync(OUT_DIR, { recursive: true }); + for (const f of fs.readdirSync(OUT_DIR)) { + if (f.endsWith(".mdx") || f === "meta.json") + fs.rmSync(path.join(OUT_DIR, f)); + } + + let count = 0; + for (const base of bases) { + const cmds = manifest.commands.filter((c) => c.base === base); + const { slug, body } = renderPage(base, cmds); + fs.writeFileSync(path.join(OUT_DIR, `${slug}.mdx`), body); + count++; + } + fs.writeFileSync( + path.join(OUT_DIR, "index.mdx"), + renderIndex(manifest, groups), + ); + fs.writeFileSync( + path.join(OUT_DIR, "meta.json"), + renderMeta(manifest, groups), + ); + + console.log( + `βœ“ Generated ${count} CLI reference page(s) for ${CLI_NAME} v${manifest.version} β†’ ${path.relative(process.cwd(), OUT_DIR)}`, + ); +} + +main(); diff --git a/scripts/generate-eql-api-docs.ts b/scripts/generate-eql-api-docs.ts new file mode 100644 index 0000000..0967d92 --- /dev/null +++ b/scripts/generate-eql-api-docs.ts @@ -0,0 +1,305 @@ +#!/usr/bin/env tsx +/** + * EQL API reference generator + drift guard (docs V2). + * + * Consumes the structured `eql-manifest.json` that the EQL repo emits from its + * Doxygen'd SQL (cipherstash/encrypt-query-language#364) and: + * + * 1. Generates a version-stamped function catalog at + * content/docs/reference/eql/functions.mdx β€” the exhaustive, drift-proof + * low-level reference the hand-written pedagogical pages link to. + * 2. Drift-lints the hand-written pages: every schema-qualified reference + * (`public.`, `eql_v3.`, `eql_v3_internal.`) must match the + * manifest by schema AND name. This catches fabricated names, stale + * payloads, and right-name/wrong-schema refs (e.g. `eql_v3.text_eq` for a + * domain that lives in `public`) β€” the classes of drift that slipped into + * the v2 docs. + * + * ── Manifest source ──────────────────────────────────────────────────────── + * Reads the committed illustrative sample by default. Set EQL_MANIFEST_PATH to + * a real manifest (the `eql-docs-` release asset extracted by + * `generate-eql-docs.ts`, or a locally-generated one) β€” the renderer and lint + * are identical either way. + * + * The drift-lint is REPORT-ONLY against the sample (tiny, so most real symbols + * read as "unknown"); it becomes a failing gate against a real manifest + * (auto-strict when EQL_MANIFEST_PATH is set). See STRICT below. + */ +import fs from "node:fs"; +import path from "node:path"; + +// Manifest source, in priority order: +// 1. EQL_MANIFEST_PATH β€” explicit override (local testing / CI). +// 2. .eql-manifest.release.json β€” extracted from the eql-docs release asset +// by generate-eql-docs.ts (present once a release ships the manifest). +// 3. the committed illustrative sample β€” offline fallback. +const SAMPLE_MANIFEST = path.join( + process.cwd(), + "scripts/fixtures/eql-manifest.sample.json", +); +const RELEASE_MANIFEST = path.join(process.cwd(), ".eql-manifest.release.json"); +const MANIFEST_PATH = + process.env.EQL_MANIFEST_PATH ?? + (fs.existsSync(RELEASE_MANIFEST) ? RELEASE_MANIFEST : SAMPLE_MANIFEST); +const EQL_DIR = path.join(process.cwd(), "content/docs/reference/eql"); +const OUT_FILE = path.join(EQL_DIR, "functions.mdx"); +// Single source for the EQL version the whole reference is built against: the +// release manifest's own `version`. Written here so the banner on +// every EQL page reads the same release-derived value (no hardcoded constant). +const VERSION_FILE = path.join(process.cwd(), "src/lib/eql-version.ts"); +// Report-only against the illustrative sample; a failing gate against any real +// manifest (the release asset or an explicit override). +const STRICT = MANIFEST_PATH !== SAMPLE_MANIFEST; + +interface Param { + name: string; + type?: string; + description?: string; +} +interface Fn { + name: string; + signature: string; + visibility: "public" | "private"; + brief: string; + description?: string; + params: Param[]; + returns?: { type?: string; description?: string }; + source?: { file?: string; line?: number }; +} +interface Domain { + name: string; + type: string; + variant: string; + base?: string; + capabilities: string[]; + supportedOperators?: string[]; + termFunctions?: string[]; + shape?: string; +} +interface Manifest { + version: string; + functions: Fn[]; + domains?: Domain[]; +} + +function loadManifest(): Manifest { + return JSON.parse(fs.readFileSync(MANIFEST_PATH, "utf8")); +} + +// ── Render the generated catalog ───────────────────────────────────────────── +function paramsTable(params: Param[]): string { + if (!params.length) return ""; + const rows = params + .map( + (p) => + `| \`${p.name}\` | ${p.type ? `\`${p.type}\`` : ""} | ${(p.description ?? "").replace(/\|/g, "\\|")} |`, + ) + .join("\n"); + return `\n| Parameter | Type | Description |\n| --- | --- | --- |\n${rows}\n`; +} + +// Public functions are heavily overloaded β€” one name per operation with a +// per-encrypted-type variant, all sharing the same doc. Group by name so the +// page is one entry per function (its distinct signatures listed) instead of +// ~hundreds of near-identical overload blocks. +function renderPublicFunctions(fns: Fn[]): string { + const byName = new Map(); + for (const f of fns) { + const g = byName.get(f.name) ?? []; + g.push(f); + byName.set(f.name, g); + } + const sections: string[] = []; + const entries = [...byName.entries()].sort((a, b) => + a[0].localeCompare(b[0]), + ); + for (const [name, overloads] of entries) { + const rep = + overloads.find((o) => o.params.length || o.brief) ?? overloads[0]; + const sigs = [...new Set(overloads.map((o) => o.signature))].sort(); + const parts = [`### \`${name}\``, "", rep.brief]; + if (rep.description && rep.description !== rep.brief) + parts.push("", rep.description); + parts.push( + "", + sigs.length > 1 + ? `**${sigs.length} overloads** (one per encrypted type):` + : "**Signature:**", + "", + "```sql", + ...sigs, + "```", + ); + if (rep.params.length) parts.push(paramsTable(rep.params)); + if (rep.returns?.type || rep.returns?.description) { + const t = rep.returns.type ? `\`${rep.returns.type}\`` : ""; + parts.push( + "", + `**Returns:** ${t}${rep.returns.description ? ` β€” ${rep.returns.description}` : ""}`, + ); + } + sections.push(parts.join("\n")); + } + return sections.join("\n\n"); +} + +function renderDomains(domains: Domain[]): string { + if (!domains.length) return ""; + const rows = domains + .map((d) => { + const variant = d.variant ? `\`_${d.variant}\`` : "_(storage only)_"; + const ops = d.supportedOperators?.length + ? d.supportedOperators.map((o) => `\`${o}\``).join(" ") + : "β€”"; + return `| \`${d.name}\` | ${d.type} | ${variant} | ${d.capabilities.join(", ")} | ${ops} |`; + }) + .join("\n"); + return [ + "## Encrypted domains", + "", + "A column's capability is declared by its **domain variant**. This matrix comes straight from the Rust catalog (`eql-codegen dump-catalog`) β€” the source of truth the SQL is generated from. See [Core concepts](/reference/eql/core-concepts) for the model.", + "", + "| Domain | Type | Variant | Capabilities | Operators |", + "| --- | --- | --- | --- | --- |", + rows, + "", + ].join("\n"); +} + +function render(manifest: Manifest): string { + const version = manifest.version; + // Operators (`->`, `>`) reach the manifest as pseudo-functions via Doxygen's + // operator-name remapping; they render poorly and are already covered by the + // domain matrix's Operators column, so keep only real named functions here. + const isNamed = (f: Fn) => /^[a-z_][a-z0-9_]*$/.test(f.name); + const publicFns = manifest.functions.filter( + (f) => f.visibility === "public" && isNamed(f), + ); + const privateFns = manifest.functions.filter( + (f) => f.visibility === "private", + ); + + const frontmatter = [ + "---", + "title: Functions", + `description: "Generated catalog of EQL SQL functions and operators (EQL ${version})."`, + "type: reference", + "components: [eql]", + "verifiedAgainst:", + ` eql: "${version}"`, + "---", + ].join("\n"); + + const body = [ + frontmatter, + "", + `{/* GENERATED β€” do not edit. Produced by scripts/generate-eql-api-docs.ts from the EQL manifest (v${version}). */}`, + "", + "", + "", + ``, + `Generated from the **EQL ${version}** manifest (the Doxygen'd SQL is the source of truth). For the model behind these β€” variants, terms, typed operands β€” see [Core concepts](/reference/eql/core-concepts).`, + ``, + "", + "The EQL SQL surface β€” encrypted domains (in the `public` schema) and the `eql_v3` functions behind them. The type and query pages explain *when* to use these; this page is the exhaustive reference they link to.", + "", + renderDomains(manifest.domains ?? []), + "## Functions", + "", + `The public \`eql_v3\` API β€” ${new Set(publicFns.map((f) => f.name)).size} functions (${publicFns.length} overloads). Internal \`eql_v3_internal\` functions (${privateFns.length}) are implementation detail and omitted.`, + "", + renderPublicFunctions(publicFns), + ]; + + return `${body.join("\n").trimEnd()}\n`; +} + +// ── Drift guard ────────────────────────────────────────────────────────────── +// The known surface is fully schema-qualified: domains live in `public.`, +// functions in `eql_v3.` (public) or `eql_v3_internal.` (private), and the +// per-domain extractor term-functions come pre-qualified from the catalog. +// Matching schema-AND-name means a right-name/wrong-schema reference β€” e.g. +// `eql_v3.text_eq`, whose domain is actually `public.text_eq` β€” is flagged too, +// not just fabricated names. +function knownSymbols(manifest: Manifest): Set { + const known = new Set(); + for (const d of manifest.domains ?? []) { + known.add(d.name); // public. + for (const fn of d.termFunctions ?? []) known.add(fn); // eql_v3. + } + for (const f of manifest.functions) { + const schema = f.visibility === "private" ? "eql_v3_internal" : "eql_v3"; + known.add(`${schema}.${f.name}`); + } + return known; +} + +function driftCheck(manifest: Manifest): string[] { + const known = knownSymbols(manifest); + const referenced = new Map>(); // fqn -> pages + + for (const file of fs.readdirSync(EQL_DIR)) { + if (!file.endsWith(".mdx") || file === "functions.mdx") continue; + const text = fs.readFileSync(path.join(EQL_DIR, file), "utf8"); + // Any schema-qualified reference β€” function call, domain cast, or type. + // A trailing `*` marks a prose family (e.g. `eql_v3.jsonb_path_*`), which + // names a set rather than one symbol, so it's skipped. + for (const m of text.matchAll( + /\b(public|eql_v3_internal|eql_v3)\.([a-z0-9_]+)(\*?)/g, + )) { + if (m[3] === "*") continue; + const fqn = `${m[1]}.${m[2]}`; + const pages = referenced.get(fqn) ?? new Set(); + pages.add(file); + referenced.set(fqn, pages); + } + } + + const unknown: string[] = []; + for (const [fqn, pages] of referenced) { + if (!known.has(fqn)) unknown.push(`${fqn} (in ${[...pages].join(", ")})`); + } + return unknown.sort(); +} + +// ── Main ───────────────────────────────────────────────────────────────────── +function main() { + const manifest = loadManifest(); + + fs.mkdirSync(EQL_DIR, { recursive: true }); + fs.writeFileSync(OUT_FILE, render(manifest)); + + // Emit the release version for the banner (shared by every EQL + // reference page, hand-written and generated alike). + fs.mkdirSync(path.dirname(VERSION_FILE), { recursive: true }); + fs.writeFileSync( + VERSION_FILE, + `// GENERATED by scripts/generate-eql-api-docs.ts from the EQL release manifest.\n// Do not edit; the prebuild step overwrites it with the version of the EQL\n// release the docs are built against.\nexport const EQL_VERSION = ${JSON.stringify(manifest.version)};\n`, + ); + console.log( + `βœ“ Generated ${path.relative(process.cwd(), OUT_FILE)} from EQL ${manifest.version} (${manifest.functions.length} functions)`, + ); + + const unknown = driftCheck(manifest); + if (unknown.length) { + const header = `⚠ ${unknown.length} schema-qualified symbol(s) referenced in hand-written pages are not in the manifest (domains or functions):`; + console.warn(`\n${header}`); + for (const u of unknown) console.warn(` - ${u}`); + if (STRICT) { + console.error( + "\nDrift check failed (STRICT). Fix the reference or update the pinned EQL version.", + ); + process.exit(1); + } else { + console.warn( + "\n(Report-only: using the illustrative sample manifest, which covers only a few symbols. A real manifest β€” the release asset or EQL_MANIFEST_PATH β€” makes this a failing gate.)", + ); + } + } else { + console.log( + "βœ“ Drift check: all schema-qualified symbols resolve against the manifest.", + ); + } +} + +main(); diff --git a/scripts/generate-eql-docs.ts b/scripts/generate-eql-docs.ts index 2ad8994..b7a5f7c 100644 --- a/scripts/generate-eql-docs.ts +++ b/scripts/generate-eql-docs.ts @@ -2,19 +2,41 @@ /** * Generates EQL (Encrypt Query Language) API reference documentation. * - * Fetches the latest release from the encrypt-query-language repository, - * downloads the docs tarball, and converts API.md to an MDX page under - * content/stack/reference/eql/. + * Downloads the docs tarball for the pinned EQL release and converts API.md to + * an MDX page under content/stack/reference/eql/. + * + * The release is PINNED. `generate-eql-api-docs.ts` then runs a STRICT drift + * check of the hand-written reference against this release's manifest, so an + * unpinned "latest release" meant any upstream EQL publish could turn the docs + * build red with no commit in this repo β€” which is exactly what + * eql-3.0.0-alpha.4 did when it replaced `eql_v3.ore_cllw`. + * + * To upgrade: bump EQL_RELEASE_TAG, run `bun run build`, and fix whatever the + * drift check reports. That makes an EQL upgrade a deliberate, reviewable + * commit rather than an ambush on whoever has a PR open. + * + * `EQL_RELEASE_TAG=eql-3.0.0 bun run generate-docs:eql` overrides it for a + * one-off check against a different release. */ import { execSync } from "node:child_process"; import fs from "node:fs/promises"; import path from "node:path"; import GithubSlugger from "github-slugger"; -const GITHUB_API_URL = - "https://api.github.com/repos/cipherstash/encrypt-query-language/releases"; +/** + * The EQL release the docs are written against. EQL 3.0.0 is still in + * prerelease and churning (alpha.3 and alpha.4 shipped a day apart), so this + * tracks an alpha deliberately rather than by accident. + */ +const EQL_RELEASE_TAG = process.env.EQL_RELEASE_TAG ?? "eql-3.0.0-alpha.4"; + +const GITHUB_RELEASE_DOWNLOAD = + "https://github.com/cipherstash/encrypt-query-language/releases/download"; const TEMP_DIR = ".tmp-eql"; const OUTPUT_DIR = path.join(process.cwd(), "content/stack/reference/eql"); +// Where the machine-readable manifest is surfaced for the v2 API-reference +// generator (scripts/generate-eql-api-docs.ts). Gitignored; best-effort. +const RELEASE_MANIFEST = path.join(process.cwd(), ".eql-manifest.release.json"); /** * Check if a tarball URL exists (returns HTTP 200) @@ -32,37 +54,26 @@ function checkTarballExists(url: string): boolean { } /** - * Get the latest release that has a docs tarball available + * Resolve the docs tarball for the pinned release. */ -async function getLatestRelease(): Promise<{ +async function getPinnedRelease(): Promise<{ tag: string; tarballUrl: string; }> { - console.log("Fetching releases from GitHub..."); - const response = execSync(`curl -sL ${GITHUB_API_URL}`, { - encoding: "utf8", - }); - - const releases = JSON.parse(response); - - if (!Array.isArray(releases) || releases.length === 0) { - throw new Error("No releases found in GitHub API response"); - } - - for (const release of releases) { - const tag = release.tag_name; - if (!tag || !tag.startsWith("eql-")) continue; - - const tarballUrl = `https://github.com/cipherstash/encrypt-query-language/releases/download/${tag}/eql-docs-${tag}.tar.gz`; - - console.log(`Checking ${tag}...`); - if (checkTarballExists(tarballUrl)) { - console.log(`Found docs tarball for ${tag}`); - return { tag, tarballUrl }; - } + const tag = EQL_RELEASE_TAG; + const tarballUrl = `${GITHUB_RELEASE_DOWNLOAD}/${tag}/eql-docs-${tag}.tar.gz`; + + console.log(`Using pinned EQL release: ${tag}`); + if (!checkTarballExists(tarballUrl)) { + throw new Error( + `No docs tarball for pinned EQL release "${tag}".\n` + + ` Expected: ${tarballUrl}\n` + + " Update EQL_RELEASE_TAG in scripts/generate-eql-docs.ts, or set the\n" + + " EQL_RELEASE_TAG environment variable to a release that ships one.", + ); } - throw new Error("No release with documentation tarball found"); + return { tag, tarballUrl }; } /** @@ -116,20 +127,22 @@ function escapeMdxSpecials(content: string): string { const escaped = parts .map((part, i) => { if (i % 2 === 1) return part; - return part - .replace(/\{/g, "\\{") - .replace(/\}/g, "\\}") - // Strip Doxygen's `` teletype tags. They're a lowercase-led - // "tag" so the `<` rule below leaves them intact, but MDX requires - // every tag to be balanced β€” and mangled SQL-comment source can - // emit a stray, unclosed `` (e.g. eql-3.0.0-alpha.3's API.md), - // which fails the whole build. MDX doesn't need the tag, so drop it. - .replace(/<\/?tt\b[^>]*>/gi, "") - // Escape `<` unless it begins a real JSX/HTML tag, a closing - // tag, or an autolink (followed by a lowercase letter, `_`, `$`, - // or `/`). Uppercase-led tokens like `` are type placeholders - // in the API reference, not JSX, so they must be escaped too. - .replace(/<(?![a-z_$/])/g, "\\<"); + return ( + part + .replace(/\{/g, "\\{") + .replace(/\}/g, "\\}") + // Strip Doxygen's `` teletype tags. They're a lowercase-led + // "tag" so the `<` rule below leaves them intact, but MDX requires + // every tag to be balanced β€” and mangled SQL-comment source can + // emit a stray, unclosed `` (e.g. eql-3.0.0-alpha.3's API.md), + // which fails the whole build. MDX doesn't need the tag, so drop it. + .replace(/<\/?tt\b[^>]*>/gi, "") + // Escape `<` unless it begins a real JSX/HTML tag, a closing + // tag, or an autolink (followed by a lowercase letter, `_`, `$`, + // or `/`). Uppercase-led tokens like `` are type placeholders + // in the API reference, not JSX, so they must be escaped too. + .replace(/<(?![a-z_$/])/g, "\\<") + ); }) .join(""); result.push(escaped); @@ -231,8 +244,7 @@ async function main() { console.log("EQL API Reference Documentation Generator"); console.log("=".repeat(60)); - const { tag, tarballUrl } = await getLatestRelease(); - console.log(`Latest release: ${tag}`); + const { tag, tarballUrl } = await getPinnedRelease(); const extractPath = await downloadAndExtractDocs(tarballUrl, tag); @@ -259,6 +271,29 @@ async function main() { "utf8", ); + // Surface the machine-readable manifest for the v2 API-reference generator. + // Only releases packaged with the manifest carry it; older ones don't, so + // this is best-effort and the generator falls back to the committed sample. + const manifestSrc = path.join(extractPath, "json", "eql-manifest.json"); + try { + // Prerelease manifests report `"version": "DEV"`, which would surface as + // "generated and validated against EQL DEV" in the banner on every + // reference page. We know which release we pinned, so say so. + const manifest = JSON.parse(await fs.readFile(manifestSrc, "utf8")); + if (!manifest.version || manifest.version === "DEV") { + manifest.version = tag.replace(/^eql-/, ""); + } + await fs.writeFile(RELEASE_MANIFEST, JSON.stringify(manifest, null, 2)); + console.log( + `βœ“ Extracted eql-manifest.json β†’ ${path.basename(RELEASE_MANIFEST)} (version: ${manifest.version})`, + ); + } catch { + await fs.rm(RELEASE_MANIFEST, { force: true }); // clear any stale cache + console.log( + "β€’ No eql-manifest.json in this release; API reference uses the sample.", + ); + } + // Clean up console.log("Cleaning up..."); await fs.rm(extractPath, { recursive: true, force: true }); diff --git a/scripts/validate-content-api.ts b/scripts/validate-content-api.ts new file mode 100644 index 0000000..30d0b61 --- /dev/null +++ b/scripts/validate-content-api.ts @@ -0,0 +1,195 @@ +#!/usr/bin/env tsx +/** + * Content API gate. + * + * Fails the build when documentation teaches an API that is deprecated, was + * removed, or never existed. Two long-lived content branches plus a fast-moving + * SDK means a page fixed on one branch can be silently reintroduced by a port + * from the other β€” which is exactly how the deprecated `LockContext.identify()` + * flow survived a fix and came back in a comparison-page port. + * + * Run via `bun run validate-content`; wired into prebuild. + * + * A line is exempt if it also says the API is retired ("deprecated", "removed", + * "no longer", "are gone"), so that callouts and migration notes are free to + * name the old API in order to warn readers off it. The check is deliberately + * line-local: naming a dead symbol without saying it is dead is the bug. + * + * Generated output is skipped: it mirrors the SDK's own doc comments, which we + * fix upstream rather than here. + */ +import fs from "node:fs"; +import path from "node:path"; + +/** Generated by scripts/*, or a version reference that documents old syntax on purpose. */ +const SKIP_PATHS = [ + "content/stack/reference/stack/", // TypeDoc output + "content/docs/reference/stack/", // TypeDoc output (post-repoint) + "content/stack/reference/eql/index.mdx", // generated EQL API reference + "content/docs/reference/eql/functions.mdx", // generated + "content/docs/reference/cli/", // generated from `stash manifest --json` + "content/docs/reference/eql/v2/", // the retained EQL v2 reference +]; + +/** + * Prose that names a retired API in order to warn readers off it. Kept narrow: + * these are the words we actually use in deprecation callouts and migration + * notes, not a general escape hatch. + */ +const RETIRED_MARKER = + /\b(deprecat\w*|removed|no longer|are gone|was gone|never existed)\b/i; + +type Rule = { + id: string; + pattern: RegExp; + message: string; + fix: string; + /** Only apply the rule to files under these prefixes. */ + scope: string[]; +}; + +const IDENTITY_SCOPE = ["content/docs/", "content/stack/"]; +/** The legacy tree documents EQL v2 throughout; only the v2 IA must be v3-only. */ +const V3_SCOPE = ["content/docs/"]; + +const RULES: Rule[] = [ + { + id: "lockcontext-identify", + pattern: /\.identify\s*\(/, + message: + "`LockContext.identify()` is deprecated. Per-operation CTS tokens were removed in protect-ffi 0.25; the token it fetches no longer affects encryption.", + fix: 'Authenticate the client with `OidcFederationStrategy` via `config.authStrategy`, then pass the claim to `.withLockContext({ identityClaim: ["sub"] })`.', + scope: IDENTITY_SCOPE, + }, + { + id: "identity-token-option", + pattern: /identityToken\s*:/, + message: + "`withLockContext({ identityToken })` has never existed in any released version of @cipherstash/stack.", + fix: 'Use `.withLockContext({ identityClaim: ["sub"] })` on the operation, not on the client.', + scope: IDENTITY_SCOPE, + }, + { + id: "bare-lockcontext-constructor", + pattern: /new\s+LockContext\s*\(\s*\)/, + message: + "A bare `new LockContext()` is only useful with the deprecated `identify()` flow.", + fix: 'Pass a plain `{ identityClaim: ["sub"] }` to `.withLockContext()`. The Supabase query builder still requires an instance: `new LockContext({ context: { identityClaim: ["sub"] } })`.', + scope: IDENTITY_SCOPE, + }, + { + id: "eql-v2-encrypted-type", + pattern: /\beql_v2_encrypted\b/, + message: "The `eql_v2_encrypted` column type was removed in EQL 3.0.0.", + fix: "Type the column with an EQL v3 domain variant, e.g. `public.text_eq`. See /reference/eql/core-concepts.", + scope: V3_SCOPE, + }, + { + id: "eql-v2-schema-functions", + pattern: /\beql_v2\.\w+\s*\(/, + message: "The `eql_v2` schema was removed in EQL 3.0.0.", + fix: "Use the `eql_v3` equivalents, or the encrypted operators directly with a typed operand.", + scope: V3_SCOPE, + }, + { + id: "eql-v2-config-table", + pattern: + /\b(cs_add_column_v1|cs_match_v1|cs_ste_vec_v2|cs_check_encrypted_v1|add_search_config|config_add_column|config_add_table)\b/, + message: + "EQL v3 has no database-side configuration table; these functions are gone.", + fix: "A column's searchable capability is fixed by the domain variant it is typed as. See /reference/eql/core-concepts.", + scope: V3_SCOPE, + }, + { + id: "protect-branding", + pattern: /\b(ProtectClientConfig|@cipherstash\/cli)\b/, + message: + "Stale naming from before the `protect` -> `stack` rename, or the `@cipherstash/cli` -> `stash` rename.", + fix: "Use `EncryptionClientConfig` and `stash`.", + scope: V3_SCOPE, + }, +]; + +type Finding = { + file: string; + line: number; + rule: Rule; + text: string; +}; + +function collectFiles(dir: string): string[] { + if (!fs.existsSync(dir)) return []; + const files: string[] = []; + for (const entry of fs.readdirSync(dir, { withFileTypes: true })) { + const full = path.join(dir, entry.name); + if (entry.isDirectory()) files.push(...collectFiles(full)); + else if (/\.mdx?$/.test(entry.name)) files.push(full); + } + return files; +} + +function isSkipped(relative: string): boolean { + return SKIP_PATHS.some((prefix) => relative.startsWith(prefix)); +} + +function inScope(relative: string, rule: Rule): boolean { + return rule.scope.some((prefix) => relative.startsWith(prefix)); +} + +const root = process.cwd(); +const findings: Finding[] = []; + +for (const dir of ["content/docs", "content/stack"]) { + for (const file of collectFiles(path.join(root, dir))) { + const relative = path.relative(root, file).split(path.sep).join("/"); + if (isSkipped(relative)) continue; + + const lines = fs.readFileSync(file, "utf8").split("\n"); + lines.forEach((text, i) => { + // A line that names a dead API *and says it is dead* is doing its job. + if (RETIRED_MARKER.test(text)) return; + + for (const rule of RULES) { + if (!inScope(relative, rule)) continue; + if (rule.pattern.test(text)) { + findings.push({ + file: relative, + line: i + 1, + rule, + text: text.trim(), + }); + } + } + }); + } +} + +if (findings.length > 0) { + const byRule = new Map(); + for (const f of findings) { + const list = byRule.get(f.rule.id) ?? []; + list.push(f); + byRule.set(f.rule.id, list); + } + + console.error( + `βœ— ${findings.length} occurrence(s) of deprecated or non-existent API in documentation:\n`, + ); + for (const [id, group] of byRule) { + const { message, fix } = group[0].rule; + console.error(` [${id}] ${message}`); + console.error(` Fix: ${fix}\n`); + for (const f of group) { + console.error(` ${f.file}:${f.line}`); + console.error(` ${f.text.slice(0, 100)}`); + } + console.error(""); + } + console.error( + 'A line that also says the API is retired ("deprecated", "removed", "no longer",\n' + + '"are gone", "never existed") is exempt, so deprecation callouts still pass.', + ); + process.exit(1); +} + +console.log("βœ“ no deprecated or non-existent API found in documentation"); diff --git a/scripts/validate-mermaid.ts b/scripts/validate-mermaid.ts new file mode 100644 index 0000000..e9de692 --- /dev/null +++ b/scripts/validate-mermaid.ts @@ -0,0 +1,99 @@ +#!/usr/bin/env tsx +/** + * Mermaid diagram gate. + * + * A malformed diagram does not fail the build: Mermaid parses in the browser, + * and `src/components/mermaid.tsx` catches the error so a bad chart can't blank + * the page. The failure mode is therefore silent, and a diagram that renders as + * nothing looks identical to a diagram nobody noticed was missing. + * + * So parse every ```mermaid fence at build time instead. Mermaid needs a DOM to + * initialize, which jsdom provides. + * + * Run via `bun run validate-mermaid`; wired into prebuild. + */ +import fs from "node:fs"; +import path from "node:path"; +import { JSDOM } from "jsdom"; + +const CONTENT_DIRS = ["content/docs", "content/stack"]; + +function collectFiles(dir: string): string[] { + if (!fs.existsSync(dir)) return []; + const files: string[] = []; + for (const entry of fs.readdirSync(dir, { withFileTypes: true })) { + const full = path.join(dir, entry.name); + if (entry.isDirectory()) files.push(...collectFiles(full)); + else if (/\.mdx?$/.test(entry.name)) files.push(full); + } + return files; +} + +type Block = { file: string; line: number; chart: string }; + +function collectBlocks(file: string): Block[] { + const source = fs.readFileSync(file, "utf8"); + const blocks: Block[] = []; + const pattern = /^```mermaid[^\n]*\n([\s\S]*?)^```/gm; + + for (const match of source.matchAll(pattern)) { + const line = source.slice(0, match.index).split("\n").length; + blocks.push({ file, line, chart: match[1] }); + } + return blocks; +} + +async function main() { + const root = process.cwd(); + const blocks = CONTENT_DIRS.flatMap((dir) => + collectFiles(path.join(root, dir)).flatMap(collectBlocks), + ); + + if (blocks.length === 0) { + console.log("βœ“ no mermaid diagrams to validate"); + return; + } + + // Mermaid reaches for browser globals at import time and during parse. + // `navigator` is a getter-only property on Node's globalThis, so assign via + // defineProperty rather than `=`. + const dom = new JSDOM(""); + for (const name of ["window", "document", "navigator"] as const) { + Object.defineProperty(globalThis, name, { + value: name === "window" ? dom.window : dom.window[name], + configurable: true, + writable: true, + }); + } + + const mermaid = (await import("mermaid")).default; + mermaid.initialize({ startOnLoad: false }); + + const failures: { block: Block; message: string }[] = []; + + for (const block of blocks) { + try { + await mermaid.parse(block.chart); + } catch (error) { + const message = error instanceof Error ? error.message : String(error); + failures.push({ block, message: message.split("\n")[0] }); + } + } + + if (failures.length > 0) { + console.error(`βœ— ${failures.length} invalid mermaid diagram(s):\n`); + for (const { block, message } of failures) { + const relative = path.relative(root, block.file); + console.error(` ${relative}:${block.line}`); + console.error(` ${message}\n`); + } + process.exit(1); + } + + console.log(`βœ“ all ${blocks.length} mermaid diagram(s) parse`); +} + +main().catch((error) => { + console.error("βœ— mermaid validation failed to run:", error); + process.exit(1); +}); diff --git a/scripts/validate-v2-redirects.ts b/scripts/validate-v2-redirects.ts new file mode 100644 index 0000000..97c90d0 --- /dev/null +++ b/scripts/validate-v2-redirects.ts @@ -0,0 +1,61 @@ +#!/usr/bin/env tsx +/** + * V2 redirect gate (CIP-3325 / CIP-3337 item 7). + * + * Every page in the legacy tree (content/stack) must be covered by an entry + * in v2-redirects.mjs β€” exact match or `:path*` wildcard β€” so that no URL is + * orphaned when the v2 IA ships. Run via `bun run validate-redirects`; wired + * into prebuild so a page added to content/stack without a mapping fails CI. + * + * This checks map *coverage*, not destination existence β€” destinations are + * stubs until each section's migration ticket lands. CIP-3335 verifies + * destinations resolve before merge. + */ +import fs from "node:fs"; +import path from "node:path"; +// eslint-disable-next-line -- .mjs import is intentional; the map is shared with next.config.mjs +import { v2Redirects } from "../v2-redirects.mjs"; + +const LEGACY_DIR = path.join(process.cwd(), "content/stack"); + +function collectSlugs(dir: string, prefix: string[] = []): string[] { + const slugs: string[] = []; + for (const entry of fs.readdirSync(dir, { withFileTypes: true })) { + if (entry.isDirectory()) { + slugs.push( + ...collectSlugs(path.join(dir, entry.name), [...prefix, entry.name]), + ); + } else if (entry.name.endsWith(".mdx") || entry.name.endsWith(".md")) { + const base = entry.name.replace(/\.mdx?$/, ""); + const parts = base === "index" ? prefix : [...prefix, base]; + slugs.push(`/stack${parts.length ? `/${parts.join("/")}` : ""}`); + } + } + return slugs; +} + +function matches(url: string, source: string): boolean { + if (source.endsWith("/:path*")) { + const base = source.slice(0, -"/:path*".length); + return url === base || url.startsWith(`${base}/`); + } + return url === source; +} + +const urls = collectSlugs(LEGACY_DIR); +const unmatched = urls.filter( + (url) => !v2Redirects.some((r: { source: string }) => matches(url, r.source)), +); + +if (unmatched.length > 0) { + console.error( + `βœ— ${unmatched.length} legacy page(s) have no v2 redirect mapping:\n`, + ); + for (const url of unmatched.sort()) { + console.error(` ${url}`); + } + console.error("\nAdd entries to v2-redirects.mjs (see IA.md migration map)."); + process.exit(1); +} + +console.log(`βœ“ all ${urls.length} legacy pages covered by v2-redirects.mjs`); diff --git a/source.config.ts b/source.config.ts index 7769cf3..feeed91 100644 --- a/source.config.ts +++ b/source.config.ts @@ -23,6 +23,59 @@ export const docs = defineDocs({ }, }); +// V2 information architecture (CIP-3325). New content lives in content/docs +// and is served from the site root (e.g. /docs/get-started/...). The legacy +// `docs` collection above (content/stack) is served alongside it during the +// migration and is deleted once the last section moves. See IA.md. +export const v2docs = defineDocs({ + dir: "content/docs", + docs: { + schema: pageSchema.extend({ + seoTitle: z.string().optional(), + // Sidebar label, when it should differ from the page's `title` (which is + // also the H1). Mainly for section index pages: the folder already names + // the section, so repeating it on the index item is noise. Applied to the + // page tree in `src/lib/source.ts`; never affects the URL or the H1. + navTitle: z.string().optional(), + // DiΓ‘taxis page type. Every page should declare one; enforced by the + // docs lint (CIP-3337) rather than the schema so stubs can land first. + type: z.enum(["tutorial", "guide", "concept", "reference"]).optional(), + // Facets powering index pages, filtered views, and the future + // tailored-quickstart picker (CIP-3339). Nav position never depends on + // these β€” the sidebar tree comes from meta.json alone. + components: z + .array(z.enum(["encryption", "platform", "eql", "proxy", "cli"])) + .optional(), + audience: z.array(z.enum(["developer", "cto", "ciso"])).optional(), + integration: z + .object({ + category: z.enum([ + "platform", + "orm", + "framework", + "auth-provider", + "language", + "runtime", + ]), + setup: z.enum(["code-only", "dashboard-required"]), + pairsWith: z.array(z.string()).optional(), + }) + .optional(), + // Review tracking (CIP-3337): API pages pin the releases they were + // verified against (e.g. { stack: "1.2.0", eql: "3.0.0" }); claims pages + // (compliance, pricing, comparisons) carry a review-by date instead. + verifiedAgainst: z.record(z.string(), z.string()).optional(), + reviewBy: z.string().optional(), + }), + postprocess: { + includeProcessedMarkdown: true, + }, + }, + meta: { + schema: metaSchema, + }, +}); + // Parse the leftover code-fence meta string (what remains after Fumadocs // extracts `title`, `tab`, and line-number directives) for the analytics // attributes documented for authors: `example-id`, `cta`, and `cta-type`. @@ -49,6 +102,14 @@ const codeCopyTrackingTransformer: ShikiTransformer = { pre(node) { node.properties["data-language"] = this.options.lang ?? "plaintext"; + // A ```mermaid fence stays a code fence in the mdast, so the processed + // markdown we serve at `.mdx` and in llms.txt keeps the diagram as + // readable source. Carry the raw source through to the client, where + // `TrackedCodeBlock` swaps the highlighted block for a rendered diagram. + if (this.options.lang === "mermaid") { + node.properties["data-mermaid"] = this.source; + } + const raw = typeof this.options.meta?.__raw === "string" ? this.options.meta.__raw diff --git a/src/app/(home)/layout.tsx b/src/app/(home)/layout.tsx deleted file mode 100644 index c16b056..0000000 --- a/src/app/(home)/layout.tsx +++ /dev/null @@ -1,6 +0,0 @@ -import { HomeLayout } from "fumadocs-ui/layouts/home"; -import { baseOptions } from "@/lib/layout.shared"; - -export default function Layout({ children }: LayoutProps<"/">) { - return {children}; -} diff --git a/src/app/(home)/page.tsx b/src/app/(home)/page.tsx deleted file mode 100644 index 5311eab..0000000 --- a/src/app/(home)/page.tsx +++ /dev/null @@ -1,346 +0,0 @@ -import { - ArrowRight, - BookOpen, - Code, - Database, - ExternalLinkIcon, - FileText, - KeyRound, - Lock, - Search, - ShieldCheck, - Zap, -} from "lucide-react"; -import Link from "next/link"; -import type { ComponentType } from "react"; -import { - DrizzleLogo, - DynamoDBLogo, - PrismaLogo, - SupabaseLogo, -} from "@/components/integration-logos"; -import type { Metadata } from "next"; - -// The /docs landing page had no metadata (no ). `absolute` bypasses the -// root layout's "%s | CipherStash Docs" template so the title isn't doubled. -export const metadata: Metadata = { - title: { - absolute: "CipherStash Docs β€” Searchable encryption for Postgres", - }, - description: - "Data Level Access Control for Postgres. Searchable field-level encryption, identity-bound keys, and cryptographic audit trails.", - alternates: { canonical: "https://cipherstash.com/docs" }, -}; - -const monoClass = "font-[family-name:var(--font-fira-code)] tracking-[-0.02em]"; -const eyebrowClass = - "font-[family-name:var(--font-fira-code)] text-[10px] font-medium tracking-[0.16em] uppercase text-fd-primary"; - -const products = [ - { - title: "Encryption", - description: - "Searchable field-level encryption. Range queries, exact match, and free-text search over ciphertext. Sub-millisecond overhead.", - href: "/stack/cipherstash/encryption", - icon: Lock, - }, - { - title: "ZeroKMS", - description: - "The key management layer. Unique key per value, derived on demand, never stored. 100x faster than AWS KMS.", - href: "/stack/cipherstash/kms", - icon: KeyRound, - }, - { - title: "Proxy", - description: - "Transparent searchable encryption for existing PostgreSQL databases. Zero application code changes.", - href: "/stack/cipherstash/proxy", - icon: Database, - }, -]; - -const integrations: { - title: string; - description: string; - href: string; - logo: ComponentType<{ className?: string }>; -}[] = [ - { - title: "Supabase", - description: "Field-level encryption for your Supabase project.", - href: "/stack/cipherstash/supabase", - logo: SupabaseLogo, - }, - { - title: "Drizzle ORM", - description: "Encrypted column types and query operators for Drizzle.", - href: "/stack/cipherstash/encryption/drizzle", - logo: DrizzleLogo, - }, - { - title: "Prisma Next", - description: - "Searchable field-level encryption for Postgres with Prisma Next.", - href: "/stack/cipherstash/encryption/prisma-next", - logo: PrismaLogo, - }, - { - title: "DynamoDB", - description: - "Encrypted DynamoDB attributes with searchable equality lookups.", - href: "/stack/cipherstash/encryption/dynamodb", - logo: DynamoDBLogo, - }, -]; - -const resources = [ - { - title: "What is CipherStash?", - description: "DLAC, threat model, how it works", - href: "/stack/reference/what-is-cipherstash", - icon: ShieldCheck, - }, - { - title: "API Reference", - description: "SDK and API reference docs", - href: "/stack/reference", - icon: Code, - }, - { - title: "Agent Skills", - description: "CipherStash knowledge for your AI coding agent", - href: "/stack/reference/agent-skills", - icon: Zap, - }, - { - title: "Use Cases", - description: "AI/RAG, compliance, data residency", - href: "/stack/reference/use-cases", - icon: BookOpen, - }, -]; - -export default function HomePage() { - return ( - <main className="flex flex-col"> - {/* Hero */} - <section className="border-b border-fd-border"> - <div className="mx-auto w-full max-w-[1200px] px-6 pt-24 pb-16 md:px-12 md:pt-32 md:pb-20"> - <p className={eyebrowClass}>DLAC / DATA LEVEL ACCESS CONTROL</p> - <h1 - className={`mt-4 text-3xl font-medium text-fd-foreground md:text-5xl ${monoClass}`} - > - CipherStash Docs - </h1> - <p className="mt-4 max-w-2xl text-[17px] leading-relaxed text-fd-muted-foreground"> - Searchable field-level encryption. Identity-bound keys. - Cryptographic audit trails. Built into your existing Postgres stack. - </p> - - {/* Getting started cards */} - <div className="mt-10 grid gap-px bg-fd-border sm:grid-cols-2 border border-fd-border rounded-[2px] overflow-hidden"> - {[ - { - href: "/stack/quickstart", - icon: Zap, - title: "Quickstart", - desc: "Encrypt your first fields in 15 minutes.", - }, - { - href: "/stack/cipherstash/supabase", - icon: Database, - title: "Supabase", - desc: "Field-level encryption for Supabase.", - }, - { - href: "/stack/cipherstash/encryption/searchable-encryption", - icon: Search, - title: "Searchable encryption", - desc: "Equality, free text, range, ordering, and JSON queries over ciphertext.", - }, - { - href: "/stack/reference/agent-skills", - icon: Zap, - title: "Agent Skills", - desc: "CipherStash knowledge for Cursor, Copilot, Claude Code.", - }, - ].map((card) => ( - <Link - key={card.href} - href={card.href} - className="group flex items-center gap-4 bg-fd-background p-5 transition-colors hover:bg-fd-accent/50" - > - <div className="flex size-10 shrink-0 items-center justify-center rounded-[2px] bg-fd-primary/10 text-fd-primary"> - <card.icon className="size-5" /> - </div> - <div className="min-w-0"> - <p - className={`font-medium text-fd-foreground text-[15px] ${monoClass}`} - > - {card.title} - </p> - <p className="text-sm text-fd-muted-foreground"> - {card.desc} - </p> - </div> - <ArrowRight className="ml-auto size-4 shrink-0 text-fd-muted-foreground transition-colors group-hover:text-fd-primary" /> - </Link> - ))} - </div> - </div> - </section> - - {/* Products */} - <section className="mx-auto w-full max-w-[1200px] px-6 py-16 md:px-12 md:py-24"> - <p className={eyebrowClass}>Β§ 01 / THE STACK</p> - <h2 - className={`mt-3 text-xl font-medium text-fd-foreground md:text-2xl ${monoClass}`} - > - The Stack - </h2> - <p className="mt-2 text-fd-muted-foreground"> - Encryption, key management, and proxy. - </p> - - <div className="mt-8 grid gap-px bg-fd-border sm:grid-cols-3 border border-fd-border rounded-[2px] overflow-hidden"> - {products.map((product) => ( - <Link - key={product.title} - href={product.href} - className="group relative flex flex-col overflow-hidden bg-fd-background transition-colors hover:bg-fd-accent/50" - > - <div className="flex h-32 items-center justify-center border-b border-fd-border bg-fd-muted/20"> - <product.icon className="size-10 text-fd-muted-foreground/30" /> - </div> - <div className="flex flex-1 flex-col p-5"> - <div className="flex items-center gap-2"> - <product.icon className="size-4 text-fd-primary" /> - <h3 className={`font-medium text-fd-foreground ${monoClass}`}> - {product.title} - </h3> - </div> - <p className="mt-2 flex-1 text-sm leading-relaxed text-fd-muted-foreground"> - {product.description} - </p> - </div> - </Link> - ))} - </div> - </section> - - {/* Integrations */} - <section className="border-t border-fd-border"> - <div className="mx-auto w-full max-w-[1200px] px-6 py-16 md:px-12 md:py-24"> - <p className={eyebrowClass}>Β§ 02 / INTEGRATIONS</p> - <h2 - className={`mt-3 text-xl font-medium text-fd-foreground md:text-2xl ${monoClass}`} - > - Integrations - </h2> - <p className="mt-2 text-fd-muted-foreground"> - Drop-in encryption for the databases and ORMs you already use. - </p> - - <div className="mt-8 grid gap-px bg-fd-border sm:grid-cols-2 lg:grid-cols-4 border border-fd-border rounded-[2px] overflow-hidden"> - {integrations.map((integration) => ( - <Link - key={integration.title} - href={integration.href} - className="group flex flex-col items-center bg-fd-background p-6 text-center transition-colors hover:bg-fd-accent/50" - > - <div className="flex size-24 items-center justify-center"> - <integration.logo className="h-12 w-auto" /> - </div> - <h3 - className={`mt-4 font-medium text-fd-foreground ${monoClass}`} - > - {integration.title} - </h3> - <p className="mt-1 text-sm text-fd-muted-foreground"> - {integration.description} - </p> - </Link> - ))} - </div> - </div> - </section> - - {/* Resources */} - <section className="border-t border-fd-border"> - <div className="mx-auto w-full max-w-[1200px] px-6 py-16 md:px-12 md:py-24"> - <p className={eyebrowClass}>Β§ 03 / RESOURCES</p> - <h2 - className={`mt-3 text-xl font-medium text-fd-foreground md:text-2xl ${monoClass}`} - > - Resources - </h2> - - <div className="mt-8 grid gap-px bg-fd-border sm:grid-cols-2 lg:grid-cols-4 border border-fd-border rounded-[2px] overflow-hidden"> - {resources.map((resource) => ( - <Link - key={resource.title} - href={resource.href} - className="group flex items-start gap-3 bg-fd-background p-4 transition-colors hover:bg-fd-accent/50" - > - <resource.icon className="mt-0.5 size-5 shrink-0 text-fd-muted-foreground group-hover:text-fd-primary" /> - <div> - <p - className={`font-medium text-fd-foreground text-[14px] ${monoClass}`} - > - {resource.title} - </p> - <p className="mt-0.5 text-sm text-fd-muted-foreground"> - {resource.description} - </p> - </div> - </Link> - ))} - </div> - </div> - </section> - - {/* AI/LLM + CTA footer */} - <section className="border-t border-fd-border bg-fd-card/50"> - <div className="mx-auto flex w-full max-w-[1200px] flex-col items-center px-6 py-16 text-center md:px-12 md:py-20"> - <div className="flex size-10 items-center justify-center rounded-[2px] bg-fd-primary/10 text-fd-primary"> - <FileText className="size-5" /> - </div> - <h2 - className={`mt-4 text-xl font-medium text-fd-foreground md:text-2xl ${monoClass}`} - > - AI-ready documentation - </h2> - <p className="mx-auto mt-2 max-w-lg text-sm text-fd-muted-foreground"> - Every page is clean markdown. Feed it to your LLM. - </p> - <div className="mt-6 flex flex-wrap justify-center gap-3"> - <Link - href="/llms.txt" - className="inline-flex items-center gap-2 rounded-[2px] border border-fd-border px-4 py-2 text-sm font-medium text-fd-foreground transition-colors hover:border-fd-primary/40 hover:bg-fd-accent/50" - > - <FileText className="size-4" /> - llms.txt - </Link> - <Link - href="/llms-full.txt" - className="inline-flex items-center gap-2 rounded-[2px] border border-fd-border px-4 py-2 text-sm font-medium text-fd-foreground transition-colors hover:border-fd-primary/40 hover:bg-fd-accent/50" - > - <FileText className="size-4" /> - llms-full.txt - </Link> - <a - href="https://github.com/cipherstash/stack" - target="_blank" - rel="noopener noreferrer" - className="inline-flex items-center gap-2 rounded-[2px] border border-fd-border px-4 py-2 text-sm font-medium text-fd-foreground transition-colors hover:border-fd-primary/40 hover:bg-fd-accent/50" - > - <ExternalLinkIcon className="size-4" /> - GitHub - </a> - </div> - </div> - </section> - </main> - ); -} diff --git a/src/app/[[...slug]]/layout.tsx b/src/app/[[...slug]]/layout.tsx new file mode 100644 index 0000000..d121273 --- /dev/null +++ b/src/app/[[...slug]]/layout.tsx @@ -0,0 +1,15 @@ +import { DocsLayout } from "fumadocs-ui/layouts/docs"; +import { baseOptions } from "@/lib/layout.shared"; +import { getV2PageTree } from "@/lib/source"; + +// Layout for the V2 IA tree (content/docs), served from the site root β€” +// including the /docs landing page (content/docs/index.mdx), which renders +// inside the same navigation shell as every other page. Static routes +// (/stack, /api, /og, …) take precedence over this segment as usual. +export default function Layout({ children }: LayoutProps<"/[[...slug]]">) { + return ( + <DocsLayout tree={getV2PageTree()} {...baseOptions()}> + {children} + </DocsLayout> + ); +} diff --git a/src/app/[[...slug]]/page.tsx b/src/app/[[...slug]]/page.tsx new file mode 100644 index 0000000..5efba49 --- /dev/null +++ b/src/app/[[...slug]]/page.tsx @@ -0,0 +1,84 @@ +import { + DocsBody, + DocsDescription, + DocsPage, + DocsTitle, +} from "fumadocs-ui/layouts/docs/page"; +import { createRelativeLink } from "fumadocs-ui/mdx"; +import type { Metadata } from "next"; +import { notFound } from "next/navigation"; +import { LLMCopyButton, ViewOptions } from "@/components/ai/page-actions"; +import { gitConfig } from "@/lib/layout.shared"; +import { v2source } from "@/lib/source"; +import { getMDXComponents } from "@/mdx-components"; + +// Page route for the V2 IA tree (content/docs), including the /docs landing +// page. Mirrors the legacy /stack/[[...slug]] route; the legacy route is +// deleted when the migration completes (see IA.md). + +// The landing page's URL is "/", which would produce "/docs/.mdx" β€” serve its +// raw-markdown mirror at /docs/index.mdx instead (normalized back to the root +// slug in the llms.mdx/v2 route). +function markdownUrl(pageUrl: string): string { + return `/docs${pageUrl === "/" ? "/index" : pageUrl}.mdx`; +} + +export default async function Page(props: PageProps<"/[[...slug]]">) { + const params = await props.params; + const page = v2source.getPage(params.slug); + if (!page) notFound(); + + const MDX = page.data.body; + + return ( + <DocsPage toc={page.data.toc} full={page.data.full}> + <DocsTitle>{page.data.title}</DocsTitle> + <DocsDescription className="mb-0"> + {page.data.description} + </DocsDescription> + <div className="flex flex-row gap-2 items-center border-b pb-6"> + <LLMCopyButton markdownUrl={markdownUrl(page.url)} /> + <ViewOptions + markdownUrl={markdownUrl(page.url)} + githubUrl={`https://github.com/${gitConfig.user}/${gitConfig.repo}/blob/${gitConfig.branch}/content/docs/${page.path}`} + /> + </div> + <DocsBody> + <MDX + components={getMDXComponents({ + a: createRelativeLink(v2source, page), + })} + /> + </DocsBody> + </DocsPage> + ); +} + +export async function generateStaticParams() { + return v2source.generateParams(); +} + +export async function generateMetadata( + props: PageProps<"/[[...slug]]">, +): Promise<Metadata> { + const params = await props.params; + const page = v2source.getPage(params.slug); + if (!page) notFound(); + + const title = page.data.seoTitle ?? page.data.title; + const url = `https://cipherstash.com/docs${page.url === "/" ? "" : page.url}`; + + return { + title, + description: page.data.description, + alternates: { canonical: url }, + openGraph: { + type: "article", + url, + title, + description: page.data.description, + // TODO(v2): OG images β€” the /og route only covers the legacy tree. + // Add a v2 OG route when the first real (non-stub) pages land. + }, + }; +} diff --git a/src/app/api/search/route.ts b/src/app/api/search/route.ts index aa9d5cd..ec6bc8d 100644 --- a/src/app/api/search/route.ts +++ b/src/app/api/search/route.ts @@ -1,5 +1,5 @@ -import { source } from "@/lib/source"; import { createFromSource } from "fumadocs-core/search/server"; +import { source } from "@/lib/source"; export const { GET } = createFromSource(source, { // https://docs.orama.com/docs/orama-js/supported-languages diff --git a/src/app/layout.tsx b/src/app/layout.tsx index e6ff9a2..33912be 100644 --- a/src/app/layout.tsx +++ b/src/app/layout.tsx @@ -2,7 +2,7 @@ import { RootProvider } from "fumadocs-ui/provider/next"; import { PostHogProvider } from "@/lib/posthog/provider"; import "./global.css"; import type { Metadata } from "next"; -import { Inter, Fira_Code } from "next/font/google"; +import { Fira_Code, Inter } from "next/font/google"; // Site-wide title template so every page gets a descriptive, branded // <title>. Per-page metadata returns a bare title (e.g. "Keysets") which diff --git a/src/app/llms-full.txt/route.ts b/src/app/llms-full.txt/route.ts index 8e2efe8..9cd76be 100644 --- a/src/app/llms-full.txt/route.ts +++ b/src/app/llms-full.txt/route.ts @@ -1,5 +1,5 @@ import { getPostHogClient } from "@/lib/posthog/server"; -import { getLLMText, source } from "@/lib/source"; +import { getLLMText, source, v2source } from "@/lib/source"; export const revalidate = false; @@ -18,7 +18,7 @@ export async function GET(request: Request) { await posthog.flush(); } - const scan = source.getPages().map(getLLMText); + const scan = [...v2source.getPages(), ...source.getPages()].map(getLLMText); const scanned = await Promise.all(scan); return new Response(scanned.join("\n\n")); diff --git a/src/app/llms.mdx/v2/[[...slug]]/route.ts b/src/app/llms.mdx/v2/[[...slug]]/route.ts new file mode 100644 index 0000000..fc9f251 --- /dev/null +++ b/src/app/llms.mdx/v2/[[...slug]]/route.ts @@ -0,0 +1,48 @@ +import { notFound } from "next/navigation"; +import { getPostHogClient } from "@/lib/posthog/server"; +import { getLLMText, v2source } from "@/lib/source"; + +// Raw-markdown mirror for the V2 IA tree, reached via the +// `/:path*.mdx` rewrite in next.config.mjs (same pattern as the legacy +// /llms.mdx/stack route). +export const revalidate = false; + +export async function GET( + req: Request, + { params }: RouteContext<"/llms.mdx/v2/[[...slug]]">, +) { + const { slug } = await params; + // The landing page's markdown mirror is served at /docs/index.mdx (its URL + // is "/", which can't carry an .mdx suffix) β€” normalize back to the root. + const normalized = + !slug || (slug.length === 1 && slug[0] === "index") ? [] : slug; + const page = v2source.getPage(normalized); + if (!page) notFound(); + + const posthog = getPostHogClient(); + if (posthog) { + posthog.capture({ + distinctId: "llm-agent", + event: "llms_mdx_page_fetched", + properties: { + $current_url: req.url, + page_slug: normalized.join("/"), + page_title: page.data.title, + referer: req.headers.get("referer") ?? "", + user_agent: req.headers.get("user-agent") ?? "", + }, + }); + await posthog.flush(); + } + + return new Response(await getLLMText(page), { + headers: { + "Content-Type": "text/markdown", + "Access-Control-Allow-Origin": "*", + }, + }); +} + +export function generateStaticParams() { + return v2source.generateParams(); +} diff --git a/src/app/llms.txt/route.ts b/src/app/llms.txt/route.ts index 5d6bcbb..2c6696e 100644 --- a/src/app/llms.txt/route.ts +++ b/src/app/llms.txt/route.ts @@ -1,5 +1,5 @@ import { getPostHogClient } from "@/lib/posthog/server"; -import { source } from "@/lib/source"; +import { source, v2source } from "@/lib/source"; export const revalidate = false; @@ -21,7 +21,8 @@ export async function GET(request: Request) { const lines: string[] = []; lines.push("# Documentation"); lines.push(""); - for (const page of source.getPages()) { + // V2 tree first: it's the canonical IA once the migration completes. + for (const page of [...v2source.getPages(), ...source.getPages()]) { lines.push(`- [${page.data.title}](${page.url}): ${page.data.description}`); } return new Response(lines.join("\n")); diff --git a/src/app/og/docs/[...slug]/route.tsx b/src/app/og/docs/[...slug]/route.tsx index 208fdfd..801a890 100644 --- a/src/app/og/docs/[...slug]/route.tsx +++ b/src/app/og/docs/[...slug]/route.tsx @@ -1,7 +1,7 @@ -import { getPageImage, source } from "@/lib/source"; +import { generate as DefaultImage } from "fumadocs-ui/og"; import { notFound } from "next/navigation"; import { ImageResponse } from "next/og"; -import { generate as DefaultImage } from "fumadocs-ui/og"; +import { getPageImage, source } from "@/lib/source"; export const revalidate = false; diff --git a/src/app/sitemap.ts b/src/app/sitemap.ts index 515283d..77fd867 100644 --- a/src/app/sitemap.ts +++ b/src/app/sitemap.ts @@ -1,10 +1,10 @@ import type { MetadataRoute } from "next"; -import { source } from "@/lib/source"; +import { source, v2source } from "@/lib/source"; const BASE_URL = "https://cipherstash.com/docs"; export default function sitemap(): MetadataRoute.Sitemap { - return source.getPages().map((page) => ({ + return [...v2source.getPages(), ...source.getPages()].map((page) => ({ url: `${BASE_URL}${page.url}`, lastModified: new Date(), changeFrequency: "weekly", diff --git a/src/app/stack/[[...slug]]/page.tsx b/src/app/stack/[[...slug]]/page.tsx index 6f5e79a..ef050ee 100644 --- a/src/app/stack/[[...slug]]/page.tsx +++ b/src/app/stack/[[...slug]]/page.tsx @@ -1,16 +1,16 @@ -import { getPageImage, source } from "@/lib/source"; import { DocsBody, DocsDescription, DocsPage, DocsTitle, } from "fumadocs-ui/layouts/docs/page"; -import { notFound } from "next/navigation"; -import { getMDXComponents } from "@/mdx-components"; -import type { Metadata } from "next"; import { createRelativeLink } from "fumadocs-ui/mdx"; +import type { Metadata } from "next"; +import { notFound } from "next/navigation"; import { LLMCopyButton, ViewOptions } from "@/components/ai/page-actions"; import { gitConfig } from "@/lib/layout.shared"; +import { getPageImage, source } from "@/lib/source"; +import { getMDXComponents } from "@/mdx-components"; export default async function Page(props: PageProps<"/stack/[[...slug]]">) { const params = await props.params; diff --git a/src/app/stack/layout.tsx b/src/app/stack/layout.tsx index d5b93ec..78d2389 100644 --- a/src/app/stack/layout.tsx +++ b/src/app/stack/layout.tsx @@ -1,6 +1,6 @@ -import { source } from "@/lib/source"; import { DocsLayout } from "fumadocs-ui/layouts/docs"; import { baseOptions } from "@/lib/layout.shared"; +import { source } from "@/lib/source"; export default function Layout({ children }: LayoutProps<"/stack">) { return ( diff --git a/src/components/code-block.tsx b/src/components/code-block.tsx index b0f9d18..d15fbaa 100644 --- a/src/components/code-block.tsx +++ b/src/components/code-block.tsx @@ -9,6 +9,7 @@ import { slug } from "github-slugger"; import { usePathname } from "next/navigation"; import posthog from "posthog-js"; import { type MouseEvent, useCallback, useEffect, useRef } from "react"; +import { Mermaid } from "@/components/mermaid"; // Build-time metadata is attached to the `<pre>` as `data-*` attributes by the // `cipherstash:code-copy-tracking` Shiki transformer (see `source.config.ts`). @@ -18,6 +19,8 @@ type TrackingProps = { "data-filename"?: string; "data-cta"?: string; "data-cta-type"?: string; + /** Raw diagram source, carried through for `mermaid` fences. */ + "data-mermaid"?: string; }; /** @@ -35,6 +38,15 @@ type TrackingProps = { export function TrackedCodeBlock(props: CodeBlockProps) { const attrs = props as CodeBlockProps & TrackingProps; const language = attrs["data-language"] ?? "plaintext"; + + // A ```mermaid fence is a code fence everywhere except on screen: the source + // survives in the mdast (so `.mdx` and llms.txt keep it readable), and the + // rendered page gets a diagram instead of an overflowing block of syntax. + const mermaidChart = attrs["data-mermaid"]; + if (language === "mermaid" && mermaidChart) { + return <Mermaid chart={mermaidChart} />; + } + const exampleId = attrs["data-example-id"]; const isCta = attrs["data-cta"] === "true"; const ctaType = attrs["data-cta-type"]; diff --git a/src/components/eql-version.tsx b/src/components/eql-version.tsx new file mode 100644 index 0000000..d3c43e0 --- /dev/null +++ b/src/components/eql-version.tsx @@ -0,0 +1,20 @@ +import { Callout } from "fumadocs-ui/components/callout"; +import Link from "next/link"; +import { EQL_VERSION } from "@/lib/eql-version"; + +/** + * Version banner for the EQL v3 reference. Shows the EQL release the docs were + * generated/validated against β€” sourced from the release manifest's own version + * (written to `@/lib/eql-version` by generate-eql-api-docs.ts at build time) β€” + * and links to the retained EQL v2 reference for readers on the older + * generation. + */ +export function EqlVersion() { + return ( + <Callout title="EQL version" type="info"> + This reference is generated and validated against{" "} + <strong>EQL {EQL_VERSION}</strong>. Running EQL 2.x? See the{" "} + <Link href="/reference/eql/v2">EQL v2 reference</Link>. + </Callout> + ); +} diff --git a/src/components/icons/supabase.tsx b/src/components/icons/supabase.tsx index c6336f9..1b9b9bb 100644 --- a/src/components/icons/supabase.tsx +++ b/src/components/icons/supabase.tsx @@ -4,6 +4,8 @@ export function SupabaseIcon(props: React.SVGProps<SVGSVGElement>) { viewBox="0 0 109 113" fill="none" xmlns="http://www.w3.org/2000/svg" + role="img" + aria-label="Supabase" {...props} > <path @@ -44,5 +46,5 @@ export function SupabaseIcon(props: React.SVGProps<SVGSVGElement>) { </linearGradient> </defs> </svg> - ) + ); } diff --git a/src/components/integration-logos.tsx b/src/components/integration-logos.tsx index 2ea7c85..e679d23 100644 --- a/src/components/integration-logos.tsx +++ b/src/components/integration-logos.tsx @@ -5,6 +5,7 @@ export function PrismaLogo({ className }: { className?: string }) { fill="currentColor" xmlns="http://www.w3.org/2000/svg" className={className} + role="img" aria-label="Prisma" > <path d="M254.313 235.519 148.057 4.5a8.288 8.288 0 0 0-7.215-4.486 8.534 8.534 0 0 0-7.499 4.084L1.296 212.55a8.521 8.521 0 0 0 .1 9.282l54.915 82.731a8.518 8.518 0 0 0 9.687 3.396l181.79-59.7a8.518 8.518 0 0 0 5.282-4.79 8.524 8.524 0 0 0 1.243-7.95Zm-23.077 5.769-156.642 51.45c-2.871.943-5.704-1.689-4.876-4.573l54.45-189.751a3.453 3.453 0 0 1 6.541-.252l103.013 137.317a3.454 3.454 0 0 1-2.486 5.809Z" /> @@ -19,6 +20,8 @@ export function DrizzleLogo({ className }: { className?: string }) { fill="currentColor" xmlns="http://www.w3.org/2000/svg" className={className} + role="img" + aria-label="Drizzle" > <rect width="5.25365" @@ -65,6 +68,8 @@ export function SupabaseLogo({ className }: { className?: string }) { fill="none" xmlns="http://www.w3.org/2000/svg" className={className} + role="img" + aria-label="Supabase" > {/* Wordmark β€” uses currentColor */} <path @@ -121,6 +126,8 @@ export function DynamoDBLogo({ className }: { className?: string }) { height="446" viewBox="0 0 561 446" className={className} + role="img" + aria-label="DynamoDB" > <g fill="none" transform="translate(.311)"> {/* Wordmark β€” uses currentColor */} diff --git a/src/components/mermaid.tsx b/src/components/mermaid.tsx new file mode 100644 index 0000000..33d59d3 --- /dev/null +++ b/src/components/mermaid.tsx @@ -0,0 +1,90 @@ +"use client"; + +import { useEffect, useId, useState } from "react"; + +/** + * Renders a Mermaid diagram authored as a ```mermaid code fence. + * + * The fence stays a code fence all the way through the markdown pipeline. The + * Shiki transformer in `source.config.ts` copies its source onto the `<pre>` as + * `data-mermaid`, and `TrackedCodeBlock` swaps in this component at render + * time. That ordering matters: `fumadocs-mdx` serializes the *same* mdast tree + * that it renders, so a remark plugin rewriting the fence into JSX would also + * rewrite the markdown we serve at `.mdx` and in llms.txt, where a diagram + * should degrade to readable source rather than an opaque component call. + * + * Mermaid is ~1MB, so it is imported dynamically inside the effect. Only pages + * that actually contain a diagram pay for it, and it never enters the server + * bundle. + */ +export function Mermaid({ chart }: { chart: string }) { + // `useId` yields colons, which are not valid in a DOM id passed to Mermaid. + const id = useId().replace(/[^a-zA-Z0-9]/g, ""); + const [svg, setSvg] = useState<string>(""); + const [failed, setFailed] = useState(false); + + useEffect(() => { + let cancelled = false; + + async function render() { + const mermaid = (await import("mermaid")).default; + const isDark = document.documentElement.classList.contains("dark"); + + mermaid.initialize({ + startOnLoad: false, + theme: isDark ? "dark" : "default", + // Diagram labels should match the surrounding prose, not Mermaid's + // default sans stack. + fontFamily: "inherit", + securityLevel: "strict", + }); + + try { + const { svg } = await mermaid.render(`mermaid-${id}`, chart); + if (!cancelled) setSvg(svg); + } catch { + // A malformed diagram falls back to its source rather than blanking the + // page. `scripts/validate-mermaid.ts` fails the build before this can + // reach production, so in practice this covers only the render step. + if (!cancelled) setFailed(true); + } + } + + render(); + + // Re-render on theme toggle: Mermaid bakes colours into the SVG. + const observer = new MutationObserver(render); + observer.observe(document.documentElement, { + attributes: true, + attributeFilter: ["class"], + }); + + return () => { + cancelled = true; + observer.disconnect(); + }; + }, [chart, id]); + + if (failed) { + return ( + <pre className="my-6 overflow-x-auto rounded-lg border border-fd-border bg-fd-card p-4 text-sm"> + <code>{chart}</code> + </pre> + ); + } + + if (!svg) { + // Nothing to reserve: the diagram appears once Mermaid resolves, and a + // placeholder box would only add a layout jump. + return null; + } + + return ( + <div + className="my-6 flex justify-center overflow-x-auto rounded-lg border border-fd-border bg-fd-card p-4 [&_svg]:h-auto [&_svg]:max-w-full" + // Mermaid output, generated from our own content with securityLevel: strict. + // biome-ignore lint/security/noDangerouslySetInnerHtml: Mermaid returns an SVG string. + dangerouslySetInnerHTML={{ __html: svg }} + /> + ); +} diff --git a/src/components/zerokms-regions.tsx b/src/components/zerokms-regions.tsx new file mode 100644 index 0000000..1fd1617 --- /dev/null +++ b/src/components/zerokms-regions.tsx @@ -0,0 +1,30 @@ +import { ZEROKMS_REGIONS } from "@/lib/zerokms-regions"; + +/** + * Renders the supported ZeroKMS regions. Used by every page that lists regions + * so the list is maintained in exactly one place (`@/lib/zerokms-regions`). + */ +export function ZeroKmsRegions() { + return ( + <table> + <thead> + <tr> + <th>Area</th> + <th>Location</th> + <th>Region identifier</th> + </tr> + </thead> + <tbody> + {ZEROKMS_REGIONS.map((region) => ( + <tr key={region.id}> + <td>{region.area}</td> + <td>{region.location}</td> + <td> + <code>{region.id}</code> + </td> + </tr> + ))} + </tbody> + </table> + ); +} diff --git a/src/lib/eql-version.ts b/src/lib/eql-version.ts new file mode 100644 index 0000000..58f5f8a --- /dev/null +++ b/src/lib/eql-version.ts @@ -0,0 +1,4 @@ +// GENERATED by scripts/generate-eql-api-docs.ts from the EQL release manifest. +// Do not edit; the prebuild step overwrites it with the version of the EQL +// release the docs are built against. +export const EQL_VERSION = "3.0.0-sample"; diff --git a/src/lib/layout.shared.tsx b/src/lib/layout.shared.tsx index cba3da9..f0505ad 100644 --- a/src/lib/layout.shared.tsx +++ b/src/lib/layout.shared.tsx @@ -9,11 +9,13 @@ export const gitConfig = { function Logo() { return ( <div className="flex items-center gap-3"> + {/* biome-ignore lint/performance/noImgElement: static SVG logo; next/image gives no benefit for SVGs and would need extra config */} <img src="/docs/images/cipherstash-logo-dark.svg" alt="CipherStash" className="h-5 w-5 hidden dark:block" /> + {/* biome-ignore lint/performance/noImgElement: static SVG logo; next/image gives no benefit for SVGs and would need extra config */} <img src="/docs/images/cipherstash-logo-light.svg" alt="CipherStash" diff --git a/src/lib/posthog/provider.tsx b/src/lib/posthog/provider.tsx index 711982a..9d7a5cb 100644 --- a/src/lib/posthog/provider.tsx +++ b/src/lib/posthog/provider.tsx @@ -1,13 +1,13 @@ "use client"; -import posthog from "posthog-js"; import { usePathname, useSearchParams } from "next/navigation"; +import posthog from "posthog-js"; import { - Suspense, createContext, + type ReactNode, + Suspense, useContext, useEffect, - type ReactNode, } from "react"; const PostHogContext = createContext<typeof posthog | null>(null); diff --git a/src/lib/source.ts b/src/lib/source.ts index 97ae84f..b3b58ca 100644 --- a/src/lib/source.ts +++ b/src/lib/source.ts @@ -1,7 +1,8 @@ -import { docs } from "fumadocs-mdx:collections/server"; +import { docs, v2docs } from "fumadocs-mdx:collections/server"; +import type * as PageTree from "fumadocs-core/page-tree"; import { type InferPageType, loader } from "fumadocs-core/source"; -import { createElement } from "react"; import { icons } from "lucide-react"; +import { createElement } from "react"; import { SupabaseIcon } from "@/components/icons/supabase"; const customIcons: Record<string, () => React.ReactElement> = { @@ -23,6 +24,68 @@ export const source = loader({ icon: resolveIcon, }); +// V2 IA tree (CIP-3325): content/docs served from the site root, e.g. +// /docs/get-started/quickstart. Lives alongside the legacy `source` during +// the migration; the legacy loader and /stack routes are deleted at the end. +export const v2source = loader({ + baseUrl: "/", + source: v2docs.toFumadocsSource(), + icon: resolveIcon, +}); + +// Sidebar folders whose only page is their index render with a collapse +// chevron pointing at nothing. Collapse such folders into plain page items; +// they become folders again automatically once real sub-pages land. +function flattenEmptyFolders(nodes: PageTree.Node[]): PageTree.Node[] { + return nodes.map((node) => { + if (node.type !== "folder") return node; + const children = flattenEmptyFolders(node.children); + if (children.length === 0 && node.index) { + return { ...node.index, icon: node.index.icon ?? node.icon }; + } + return { ...node, children }; + }); +} + +// The sidebar label comes from a page's `title`, which is also its H1. A +// section index wants a short nav label ("Overview") under a folder that +// already names the section, while keeping the descriptive H1. `navTitle` +// frontmatter overrides the label only; the URL and H1 are untouched. +function applyNavTitles(nodes: PageTree.Node[]): PageTree.Node[] { + const navTitles = new Map<string, string>(); + for (const page of v2source.getPages()) { + const navTitle = page.data.navTitle; + if (navTitle) navTitles.set(page.url, navTitle); + } + if (navTitles.size === 0) return nodes; + + const rename = (list: PageTree.Node[]): PageTree.Node[] => + list.map((node) => { + if (node.type === "folder") { + return { + ...node, + index: node.index + ? (rename([node.index])[0] as typeof node.index) + : undefined, + children: rename(node.children), + }; + } + if (node.type !== "page") return node; + const navTitle = navTitles.get(node.url); + return navTitle ? { ...node, name: navTitle } : node; + }); + + return rename(nodes); +} + +export function getV2PageTree(): PageTree.Root { + const tree = v2source.getPageTree(); + return { + ...tree, + children: applyNavTitles(flattenEmptyFolders(tree.children)), + }; +} + export function getPageImage(page: InferPageType<typeof source>) { const segments = [...page.slugs, "image.png"]; @@ -32,7 +95,9 @@ export function getPageImage(page: InferPageType<typeof source>) { }; } -export async function getLLMText(page: InferPageType<typeof source>) { +export async function getLLMText( + page: InferPageType<typeof source> | InferPageType<typeof v2source>, +) { const processed = await page.data.getText("processed"); return `# ${page.data.title} diff --git a/src/lib/zerokms-regions.ts b/src/lib/zerokms-regions.ts new file mode 100644 index 0000000..9efe432 --- /dev/null +++ b/src/lib/zerokms-regions.ts @@ -0,0 +1,26 @@ +/** + * The ZeroKMS regions a workspace can be deployed into. Single source of truth: + * rendered by the `<ZeroKmsRegions />` MDX component on every page that lists + * regions, so the list can't drift between the regions reference and the + * data-residency page. + * + * `id` is the region component of a workspace CRN + * (`crn:<id>:<workspace-id>`, e.g. `crn:ap-southeast-2.aws:ZVATKW3VHMFG27DY`). + * The `.aws` suffix is part of the identifier: ZeroKMS is deployed only on AWS + * today, and the suffix leaves room for other cloud providers later. + */ +export type ZeroKmsRegion = { + area: string; + location: string; + id: string; +}; + +export const ZEROKMS_REGIONS: ZeroKmsRegion[] = [ + { area: "Asia Pacific", location: "Sydney", id: "ap-southeast-2.aws" }, + { area: "Europe", location: "Frankfurt", id: "eu-central-1.aws" }, + { area: "Europe", location: "Ireland", id: "eu-west-1.aws" }, + { area: "US East", location: "N. Virginia", id: "us-east-1.aws" }, + { area: "US East", location: "Ohio", id: "us-east-2.aws" }, + { area: "US West", location: "N. California", id: "us-west-1.aws" }, + { area: "US West", location: "Oregon", id: "us-west-2.aws" }, +]; diff --git a/src/mdx-components.tsx b/src/mdx-components.tsx index ba31fd2..f05ae7c 100644 --- a/src/mdx-components.tsx +++ b/src/mdx-components.tsx @@ -3,6 +3,8 @@ import { Step, Steps } from "fumadocs-ui/components/steps"; import defaultMdxComponents from "fumadocs-ui/mdx"; import type { MDXComponents } from "mdx/types"; import { TrackedCodeBlock } from "@/components/code-block"; +import { EqlVersion } from "@/components/eql-version"; +import { ZeroKmsRegions } from "@/components/zerokms-regions"; export function getMDXComponents(components?: MDXComponents): MDXComponents { return { @@ -13,6 +15,8 @@ export function getMDXComponents(components?: MDXComponents): MDXComponents { Callout, Steps, Step, + EqlVersion, + ZeroKmsRegions, ...components, }; } diff --git a/src/proxy.ts b/src/proxy.ts index 028dd8f..5d45773 100644 --- a/src/proxy.ts +++ b/src/proxy.ts @@ -1,5 +1,5 @@ -import { NextResponse } from "next/server"; import type { NextFetchEvent, NextRequest } from "next/server"; +import { NextResponse } from "next/server"; import { getPostHogClient } from "@/lib/posthog/server"; const SKIP_PATHS = ["/api", "/_next/static", "/_next/image", "/ingest"]; diff --git a/v2-redirects.mjs b/v2-redirects.mjs new file mode 100644 index 0000000..e983333 --- /dev/null +++ b/v2-redirects.mjs @@ -0,0 +1,383 @@ +// V2 IA redirect map (CIP-3325): every legacy /stack/* URL β†’ its new home. +// Derived from the migration map in IA.md; completeness is enforced by +// `scripts/validate-v2-redirects.ts` (every content/stack page must match an +// entry here, exact or wildcard). +// +// Gated behind ENABLE_V2_REDIRECTS=1 in next.config.mjs: during the migration +// the preview site serves BOTH trees (legacy at /stack, v2 at the root), so +// unmigrated content stays reachable. The flag flips on at merge; once +// content/stack is deleted these entries become unconditional (CIP-3335). +// +// Conventions (matching next.config.mjs): sources/destinations omit the +// "/docs" basePath. Order matters β€” specific entries before wildcards. +// +// All entries are `permanent: false` (307) while the IA settles β€” browsers +// and crawlers cache 308s aggressively, and a mis-cached destination is hard +// to walk back. Flip to permanent once the map has soaked post-merge +// (CIP-3335). +export const v2Redirects = [ + // === Roots === + { source: "/stack", destination: "/", permanent: false }, + { + source: "/stack/quickstart", + destination: "/get-started/quickstart", + permanent: false, + }, + { source: "/stack/cipherstash", destination: "/", permanent: false }, + { + source: "/stack/cipherstash/postgres", + destination: "/reference/eql", + permanent: false, + }, + { + source: "/stack/cipherstash/supabase", + destination: "/integrations/supabase", + permanent: false, + }, + + // === Encryption SDK section β†’ Reference/stack + new homes === + { + source: "/stack/cipherstash/encryption", + destination: "/reference/stack", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/searchable-encryption", + destination: "/concepts/searchable-encryption", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/identity", + destination: "/concepts/identity-aware-encryption", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/drizzle", + destination: "/integrations/drizzle", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/prisma-next", + destination: "/integrations/prisma-next", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/dynamodb", + destination: "/integrations/aws/dynamodb", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/supabase", + destination: "/reference/stack/supabase", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/indexes", + destination: "/reference/eql/indexes", + permanent: false, + }, + { + source: "/stack/cipherstash/encryption/queries", + destination: "/reference/eql/filtering", + permanent: false, + }, + // configuration, encrypt-decrypt, bulk-operations, models, schema, storing-data + { + source: "/stack/cipherstash/encryption/:path*", + destination: "/reference/stack/:path*", + permanent: false, + }, + + // === KMS section β†’ Security + Reference/auth + Concepts === + { + source: "/stack/cipherstash/kms", + destination: "/security/zerokms", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/cts", + destination: "/security/cts", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/oidc", + destination: "/reference/auth/oidc-configuration", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/access-keys", + destination: "/reference/auth/access-keys", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/clients", + destination: "/reference/auth/clients", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/disaster-recovery", + destination: "/security/availability-and-continuity", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/keysets", + destination: "/concepts/key-management", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/regions", + destination: "/security/zerokms", + permanent: false, + }, + { + source: "/stack/cipherstash/kms/configuration", + destination: "/reference/workspace/configuration", + permanent: false, + }, + + // === Proxy section β†’ Reference/proxy + new homes === + { + source: "/stack/cipherstash/proxy", + destination: "/reference/proxy", + permanent: false, + }, + { + source: "/stack/cipherstash/proxy/audit", + destination: "/security/audit-logging", + permanent: false, + }, + { + source: "/stack/cipherstash/proxy/getting-started", + destination: "/integrations/aws/rds-aurora", + permanent: false, + }, + { + source: "/stack/cipherstash/proxy/encrypt-tool", + destination: "/guides/migration/encrypt-existing-data", + permanent: false, + }, + { + source: "/stack/cipherstash/proxy/searchable-json", + destination: "/reference/eql/json", + permanent: false, + }, + { + source: "/stack/cipherstash/proxy/troubleshooting", + destination: "/guides/troubleshooting/proxy", + permanent: false, + }, + // configuration, message-flow, multitenant + { + source: "/stack/cipherstash/proxy/:path*", + destination: "/reference/proxy/:path*", + permanent: false, + }, + + // === CLI section β†’ Reference/cli === + { + source: "/stack/cipherstash/cli", + destination: "/reference/cli", + permanent: false, + }, + { + source: "/stack/cipherstash/cli/troubleshooting", + destination: "/guides/troubleshooting/cli", + permanent: false, + }, + { + source: "/stack/cipherstash/cli/:path*", + destination: "/reference/cli/:path*", + permanent: false, + }, + + // === Deploy section β†’ Guides === + { + source: "/stack/deploy", + destination: "/guides/deployment", + permanent: false, + }, + { + source: "/stack/deploy/going-to-production", + destination: "/guides/deployment/going-to-production", + permanent: false, + }, + { + source: "/stack/deploy/aws-ecs", + destination: "/guides/deployment/proxy-deployment", + permanent: false, + }, + { + source: "/stack/deploy/bundling", + destination: "/guides/deployment/serverless-and-bundling", + permanent: false, + }, + { + source: "/stack/deploy/sst", + destination: "/guides/deployment/serverless-and-bundling", + permanent: false, + }, + { + source: "/stack/deploy/testing", + destination: "/guides/development/testing-and-ci", + permanent: false, + }, + { + source: "/stack/deploy/team-onboarding", + destination: "/guides/development/team-onboarding", + permanent: false, + }, + { + source: "/stack/deploy/troubleshooting", + destination: "/guides/troubleshooting", + permanent: false, + }, + + // === Reference section === + { source: "/stack/reference", destination: "/reference", permanent: false }, + { + source: "/stack/reference/what-is-cipherstash", + destination: "/get-started/what-is-cipherstash", + permanent: false, + }, + { + source: "/stack/reference/security-architecture", + destination: "/security/cryptography", + permanent: false, + }, + { + source: "/stack/reference/compliance", + destination: "/security/compliance", + permanent: false, + }, + { + source: "/stack/reference/comparisons", + destination: "/concepts/compare", + permanent: false, + }, + { + source: "/stack/reference/comparisons/:path*", + destination: "/concepts/compare/:path*", + permanent: false, + }, + { + source: "/stack/reference/use-cases", + destination: "/solutions", + permanent: false, + }, + { + // The AI/RAG page is not part of the v2 tree yet (it needs a rewrite before + // it can be republished), so send its legacy URL to the Solutions index + // rather than a page that does not exist. + source: "/stack/reference/use-cases/ai-rag", + destination: "/solutions", + permanent: false, + }, + { + source: "/stack/reference/use-cases/compliance", + destination: "/security/compliance", + permanent: false, + }, + { + source: "/stack/reference/use-cases/:path*", + destination: "/solutions/:path*", + permanent: false, + }, + { + source: "/stack/reference/billing", + destination: "/reference/workspace/billing", + permanent: false, + }, + { + source: "/stack/reference/members", + destination: "/reference/workspace/members", + permanent: false, + }, + { + source: "/stack/reference/cipher-cell", + destination: "/reference/eql/core-concepts", + permanent: false, + }, + { + source: "/stack/reference/eql-guide", + destination: "/reference/eql", + permanent: false, + }, + { + source: "/stack/reference/eql", + destination: "/reference/eql", + permanent: false, + }, + { + source: "/stack/reference/eql/:path*", + destination: "/reference/eql/:path*", + permanent: false, + }, + { + source: "/stack/reference/encryption-sdk", + destination: "/reference/stack", + permanent: false, + }, + { + source: "/stack/reference/error-handling", + destination: "/reference/stack/errors", + permanent: false, + }, + // NOTE: legacy "migration" page is the @cipherstash/protectβ†’stack package + // rename guide, NOT data migration (see IA.md). + { + source: "/stack/reference/migration", + destination: "/reference/stack/upgrading-from-protect", + permanent: false, + }, + { + source: "/stack/reference/proxy-errors", + destination: "/reference/proxy/errors", + permanent: false, + }, + { + source: "/stack/reference/proxy-reference", + destination: "/reference/proxy/configuration", + permanent: false, + }, + { + source: "/stack/reference/drizzle", + destination: "/integrations/drizzle", + permanent: false, + }, + { + source: "/stack/reference/dashboard-supabase-integration", + destination: "/integrations/supabase", + permanent: false, + }, + { + source: "/stack/reference/discovery-session", + destination: "/get-started/choose-your-stack", + permanent: false, + }, + { + source: "/stack/reference/planning-guide", + destination: "/get-started/choose-your-stack", + permanent: false, + }, + { + source: "/stack/reference/supported-solutions", + destination: "/integrations", + permanent: false, + }, + { + source: "/stack/reference/agent-skills", + destination: "/reference/agent-skills", + permanent: false, + }, + { + source: "/stack/reference/glossary", + destination: "/reference/glossary", + permanent: false, + }, + // Generated TypeDoc API reference (scripts/generate-docs.ts output) + { + source: "/stack/reference/stack/:path*", + destination: "/reference/stack/:path*", + permanent: false, + }, +];